Check for prototypes in useUnit (#1023)

* Add test for prototypes in useUnit This commit should fail * Check for hasOwnProperty in useUnit * Add key to error message in useUnit
effector · Dec 16, 2023 · 22134c1 · 22134c1
1 parent a127864
commit 22134c1
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/src/react/__tests__/base/useUnit.test.tsx b/src/react/__tests__/base/useUnit.test.tsx
@@ -1226,6 +1226,15 @@ describe('useUnit', () => {
     )
     expect(failed).toBe(false)
   })
+  test('avoiding prototype pollution', async () => {
+    const base = {fk: function fk() {}}
+    const $foo = createStore(0)
+    const App = () => {
+      const {foo} = useUnit({foo: $foo, __proto__: base})
+      return <div>{foo}</div>
+    }
+    await render(<App />)
+  })
 })
 
 describe('@effector/next custom hydration triggers hooks', () => {

diff --git a/src/react/apiBase.ts b/src/react/apiBase.ts
@@ -75,8 +75,12 @@ export function useUnitBase<Shape extends {[key: string]: Unit<any>}>(
       const eventKeys: string[] = []
       const eventValues: Array<Unit<any>> = []
       for (const key in normShape) {
+        if (!Object.prototype.hasOwnProperty.call(normShape, key)) continue
         const unit = normShape[key]
-        if (!is.unit(unit)) throwError('expect useUnit argument to be a unit')
+        if (!is.unit(unit)) {
+          const keyMessage = isSingleUnit ? 'argument' : `value in key "${key}"`
+          throwError(`expect useUnit ${keyMessage} to be a unit`)
+        }
         if (is.event(unit) || is.effect(unit)) {
           shape[key] = scope ? scopeBind(unit as Event<any>, {scope}) : unit
           eventKeys.push(key)