fixed prototype polution

llGaetanll · Apr 6, 2024 · 984ad92 · 984ad92
1 parent 1cc97a0
commit 984ad92
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 0 deletions.
diff --git a/src/index.js b/src/index.js
@@ -1,3 +1,6 @@
+/* prevent prototype polution */
+Object.freeze(Object.prototype)
+
 /* type checker */
 const t = (d) =>
   d instanceof Function

diff --git a/src/index.test.js b/src/index.test.js
@@ -1204,3 +1204,43 @@ describe("add", () => {
     expect(obx.eq(a, res)).toBe(true);
   });
 });
+
+describe("prototype polution", () => {
+  const BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
+
+  test("add", () => {
+    const victim = {};
+
+    try {
+      obx.add({}, BAD_JSON);
+    } catch (e) { }
+
+    expect(Object.keys(victim.__proto__).length).toBe(0);
+
+    delete Object.prototype.polluted;
+  });
+
+  test("cp", () => {
+    const victim = {};
+
+    try {
+      obx.cp({ "__proto__.polluted": true });
+    } catch (e) { }
+
+    expect(Object.keys(victim.__proto__).length).toBe(0);
+
+    delete Object.prototype.polluted;
+  })
+
+  test("set", () => {
+    const victim = {};
+
+    try {
+      obx.set({}, "__proto__.polluted", true);
+    } catch (e) { }
+
+    expect(Object.keys(victim.__proto__).length).toBe(0);
+
+    delete Object.prototype.polluted;
+  })
+});