Fix against prototype pollution

eugeneware · Mar 5, 2021 · 9e58884 · 9e58884 · abergmann · Mar 10, 2021
1 parent a2bc9f8
commit 9e58884
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/index.js b/index.js
@@ -75,9 +75,9 @@ function apply(changes, target, modify) {
               ptr[prop] = {};
             }
 
-            if (i < len - 1) {
+            if (i < len - 1 && ptr.hasOwnProperty(prop)) {
               ptr = ptr[prop];
-            } else {
+            } else if (prop !== '__proto__') {
               ptr[prop] = ch.value;
             }
           });
@@ -101,7 +101,7 @@ function apply(changes, target, modify) {
             } else {
               if (Array.isArray(ptr)) {
                 ptr.splice(parseInt(prop, 10), 1);
-              } else {
+              } else if (ptr.hasOwnProperty(prop)) {
                 delete ptr[prop];
               }
             }

diff --git a/test/index.js b/test/index.js
@@ -243,4 +243,13 @@ describe('changeset', function () {
     ]);
     done();
   });
+
+  it('should not allow prototype pollution', function(done) {
+    var changeset = [
+      { type: 'put', key: ['__proto__','polluted'], value: 'Yes! Its Polluted'}
+    ];
+    diff.apply(changeset, {}, true);
+    expect({}.polluted).to.not.equal('Yes! Its Polluted');
+    done();
+  })
 });