simple fix for prototype pollution

andrei-tatar · Mar 19, 2024 · bf30b75 · bf30b75
1 parent 80723ba
commit bf30b75
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/src/update-state.test.ts b/src/update-state.test.ts
@@ -222,5 +222,14 @@ describe('updateState', () => {
             }],
         });
     });
+
+    it('should not update via prototype props', () => {
+        var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}')
+
+        const { hasChanges } = updateState(BAD_JSON, {})
+
+        expect(hasChanges).to.be.false;
+        expect((Object.prototype as any).polluted).to.be.undefined;
+    });
 });
 
diff --git a/src/update-state.ts b/src/update-state.ts
@@ -16,6 +16,9 @@ const arrayItemKeyMap = new Map<string, string>([
     ['currentSensorStateData', 'name'],
 ]);
 
+// https://github.com/andrei-tatar/nora-firebase-common/issues/9
+const ignoreKeys: any[] = ['__proto__', 'constructor', 'prototype'];
+
 function updateArrayState(update: any[], state: any[], path = ''): boolean {
     let hasChanges = false;
 
@@ -51,6 +54,8 @@ function updateStateInternal(update: any, state: any, path = ''): boolean {
 
     let hasChanges = false;
     for (const [key, newValue] of entries(update)) {
+        if (ignoreKeys.includes(key)) { continue; }
+
         const oldValue = state[key];
         const newType = typeof newValue;
         const oldType = typeof oldValue;