Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-jxfh-8wgv-vfr2
  • Loading branch information
nicknisi committed Mar 10, 2020
1 parent 35d1141 commit 20a00af
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 1 deletion.
2 changes: 1 addition & 1 deletion request/util.js
Expand Up @@ -44,7 +44,7 @@ define([
for (var name in source) {
var tval = target[name],
sval = source[name];
if (tval !== sval) {
if (name !== '__proto__' && tval !== sval) {
if (shouldDeepCopy(sval)) {
if (Object.prototype.toString.call(sval) === '[object Date]') { // use this date test to handle crossing frame boundaries
target[name] = new Date(sval);
Expand Down
6 changes: 6 additions & 0 deletions tests/unit/request/util.js
Expand Up @@ -34,6 +34,12 @@ define([
assert.equal(object1.banana.purchased.getTime(), new Date(2017, 0, 1).getTime());
},

'.deepCopy should ignore the __proto__ property': function() {
var payload = JSON.parse('{ "__proto__": { "protoPollution": true }}');
util.deepCopy({}, payload);
assert.isUndefined(({}).protoPollution);
},

'deepCopy with FormData': function(){
if (has('native-formdata')) {
var formData = new FormData();
Expand Down

0 comments on commit 20a00af

Please sign in to comment.