Skip to content
Permalink
Browse files

fix(angular.merge): do not merge __proto__ property

By blocking `__proto__` on deep merging, this commit
prevents the `Object` prototype from being polluted.
  • Loading branch information
petebacondarwin committed Nov 7, 2019
1 parent 060bcde commit add78e62004e80bb1e16ab2dfe224afa8e513bc3
Showing with 17 additions and 2 deletions.
  1. +4 −2 src/Angular.js
  2. +13 −0 test/AngularSpec.js
@@ -342,8 +342,10 @@ function baseExtend(dst, objs, deep) {
} else if (isElement(src)) {
dst[key] = src.clone();
} else {
if (!isObject(dst[key])) dst[key] = isArray(src) ? [] : {};
baseExtend(dst[key], [src], true);
if (key !== '__proto__') {
if (!isObject(dst[key])) dst[key] = isArray(src) ? [] : {};
baseExtend(dst[key], [src], true);
}
}
} else {
dst[key] = src;
@@ -814,6 +814,19 @@ describe('angular', function() {
expect(isElement(dst.jqObject)).toBeTruthy();
expect(dst.jqObject.nodeName).toBeUndefined(); // i.e it is a jqLite/jQuery object
});

it('should not merge the __proto__ property', function() {
var src = JSON.parse('{ "__proto__": { "xxx": "polluted" } }');
var dst = {};

merge(dst, src);

if (typeof dst.__proto__ !== 'undefined') { // eslint-disable-line
// Should not overwrite the __proto__ property or pollute the Object prototype
expect(dst.__proto__).toBe(Object.prototype); // eslint-disable-line
}
expect(({}).xxx).toBeUndefined();
});
});


0 comments on commit add78e6

Please sign in to comment.
You can’t perform that action at this time.