Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: prototype pollution in several npm packages #4337

Merged
merged 1 commit into from Jun 24, 2019

Conversation

3 participants
@Kirill89
Copy link

commented Jun 19, 2019

@@ -1001,7 +1001,7 @@ function baseMergeDeep(object, source, key, srcIndex, mergeFunc, customizer, sta
if (isArguments(objValue)) {
newValue = toPlainObject(objValue);
}
else if (!isObject(objValue) || (srcIndex && isFunction(objValue))) {
else if (!isObject(objValue) || isFunction(objValue)) {

This comment has been minimized.

Copy link
@Kirill89
@@ -1001,7 +1001,7 @@ function baseMergeDeep(object, source, key, srcIndex, mergeFunc, customizer, sta
if (isArguments(objValue)) {
newValue = toPlainObject(objValue);
}
else if (!isObject(objValue) || (srcIndex && isFunction(objValue))) {
else if (!isObject(objValue) || isFunction(objValue)) {

This comment has been minimized.

Copy link
@Kirill89
* @returns {*} Returns the property value.
*/
function safeGet(object, key) {
if (key === 'constructor' && typeof object[key] === 'function') {

This comment has been minimized.

Copy link
@Kirill89

Kirill89 Jun 19, 2019

Author

This is fix from the other PR: #4336

@@ -1146,8 +1166,8 @@ function baseMerge(object, source, srcIndex, customizer, stack) {
* counterparts.
*/
function baseMergeDeep(object, source, key, srcIndex, mergeFunc, customizer, stack) {
var objValue = object[key],
srcValue = source[key],
var objValue = safeGet(object, key),

This comment has been minimized.

Copy link
@Kirill89

@jdalton jdalton added the bug label Jun 24, 2019

@jdalton

This comment has been minimized.

Copy link
Member

commented Jun 24, 2019

Thank you @Kirill89!

@jdalton jdalton merged commit bb2e678 into lodash:npm-packages Jun 24, 2019

1 check passed

licence/cla Contributor License Agreement is signed.
Details
@schmod

This comment has been minimized.

Copy link

commented Jun 25, 2019

Is there a path forward for getting these published?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.