From b7b8b279f3e082e9d4b54144fe831bdc77b2e0c9 Mon Sep 17 00:00:00 2001
From: Sanchit Chadha <31522190+schadha-ibm@users.noreply.github.com>
Date: Tue, 11 Jan 2022 18:28:41 -0500
Subject: [PATCH] Fix for CVE-2021-23450, prototype pollution (#418)

---
 _base/lang.js            |  4 ++++
 tests/unit/_base/lang.js | 14 ++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/_base/lang.js b/_base/lang.js
index c72ee0bb65..331d43be3d 100644
--- a/_base/lang.js
+++ b/_base/lang.js
@@ -31,6 +31,10 @@ define(["./kernel", "../has", "../sniff"], function(dojo, has){
 			try{
 				for(var i = 0; i < parts.length; i++){
 					var p = parts[i];
+					// Fix for prototype pollution CVE-2021-23450
+					if (p === '__proto__' || p === 'constructor') {
+						return;
+					}
 					if(!(p in context)){
 						if(create){
 							context[p] = {};
diff --git a/tests/unit/_base/lang.js b/tests/unit/_base/lang.js
index 0e7a661846..d9e4ed89fa 100644
--- a/tests/unit/_base/lang.js
+++ b/tests/unit/_base/lang.js
@@ -62,6 +62,20 @@ define([
 
 			lang.setObject('foo', { bar: 'test' }, test);
 			assert.deepEqual(test, { foo: { bar: 'test' } });
+
+			// CVE-2021-23450 tests
+			// Test that you can't set fields on Object.prototype itself.
+			const obj = {};
+			lang.setObject("__proto__.vuln", "polluted!", obj);
+			assert.isUndefined("anything".vuln);
+
+			// Test that you can't set fields on Object.constructor itself.
+			lang.setObject("constructor.vuln", "polluted!", obj);
+			assert.isUndefined("anything".constructor.vuln);
+
+			// Test that you can still set normal fields in an obj.
+			lang.setObject("foo.bar", "value for normal field", obj);
+			assert.strictEqual(obj.foo.bar, "value for normal field");
 		},
 
 		'.mixin': function () {