Skip to content

Commit

Permalink
Merge pull request from GHSA-rrqm-p222-8ph2
Browse files Browse the repository at this point in the history 
Fixing prototype pollution
  • Loading branch information
@fishcharlie
fishcharlie committed Feb 6, 2021
2 parents 329d59d + 016703f commit 324c62b
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 1 deletion.
5 changes: 4 additions & 1 deletion lib/utils/object/set.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,10 @@ export = <T>(object: GeneralObject<T>, key: string, value: any): GeneralObject<T
objectRef = objectRef[part];
});

objectRef[keyParts[keyParts.length - 1]] = value;
const finalKey: string = keyParts[keyParts.length - 1];
if (finalKey !== "__proto__" && finalKey !== "constructor") {
objectRef[finalKey] = value;
}

return object;
};
8 changes: 8 additions & 0 deletions test/unit/utils/object/set.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,14 @@ describe("utils.object.set", () => {
{
"input": [{"data": []}, "data.0", {"hello": "world"}],
"output": {"data": [{"hello": "world"}]}
},
{
"input": [{}, "__proto__", "Hello"],
"output": {}
},
{
"input": [{}, "constructor", "Hello"],
"output": {}
}
];

Expand Down

1 comment on commit 324c62b

@vercel
Copy link

@vercel vercel bot commented on 324c62b Feb 6, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Successfully deployed to the following URLs:

Please sign in to comment.