Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request #86 from RebeccaStevens/security/prototype-pollution
  • Loading branch information
RebeccaStevens committed Mar 31, 2022
2 parents 7436788 + d637db7 commit b39f1a9
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 1 deletion.
11 changes: 10 additions & 1 deletion src/deepmerge.ts
Expand Up @@ -438,7 +438,16 @@ function defaultMergeRecords<
continue;
}

result[key] = propertyResult;
if (key === "__proto__") {
Object.defineProperty(result, key, {
value: propertyResult,
configurable: true,
enumerable: true,
writable: true,
});
} else {
result[key] = propertyResult;
}
}

/* eslint-enable functional/no-loop-statement, functional/no-conditional-statement */
Expand Down
16 changes: 16 additions & 0 deletions tests/deepmerge.test.ts
Expand Up @@ -539,3 +539,19 @@ test(`merging objects with null prototype`, (t) => {

t.deepEqual(merged, expected);
});

test("prototype pollution", (t) => {
const payload = '{"__proto__":{"a0":true}}';

const x: any = JSON.parse(payload);
const y: any = {};

const merged: any = deepmerge(x, y);

t.deepEqual(JSON.stringify(merged), payload);

t.not(({} as any).a0, true, "Safe POJO");
t.not(x.a0, true, "Safe x input");
t.not(y.a0, true, "Safe y input");
t.not(merged.a0, true, "Safe output");
});

0 comments on commit b39f1a9

Please sign in to comment.