Improve security

ehmicky · Mar 20, 2022 · 3799749 · 3799749
1 parent fe89049
commit 3799749
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/src/config/normalize/lib/wild_wild_path/iterate/expand.js b/src/config/normalize/lib/wild_wild_path/iterate/expand.js
@@ -13,16 +13,23 @@ const expandToken = function ({ queryArray, value, path }, index, opts) {
   const token = queryArray[index]
   const missingReturn = handleMissingValue(value, token, opts.classes)
   const childEntriesA = iterateToken(token, missingReturn, opts)
-  return childEntriesA.map(
-    ({ value: childValue, prop, missing: missingEntry }) => ({
+  return childEntriesA
+    .filter(isAllowedProp)
+    .map(({ value: childValue, prop, missing: missingEntry }) => ({
       queryArray,
       value: childValue,
       path: [...path, prop],
       missing: missingReturn.missing || missingEntry,
-    }),
-  )
+    }))
 }
 
+const isAllowedProp = function ({ prop }) {
+  return !FORBIDDEN_PROPS.has(prop)
+}
+
+// Forbidden to avoid prototype pollution attacks
+const FORBIDDEN_PROPS = new Set(['__proto__', 'prototype', 'constructor'])
+
 const iterateToken = function (
   token,
   { tokenType, missing: missingParent, value },