fix: protect obj merge

longshotlabs · Oct 6, 2020 · 5012884 · 5012884
1 parent 2079938
commit 5012884
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/package/lib/SimpleSchema.tests.js b/package/lib/SimpleSchema.tests.js
@@ -49,6 +49,14 @@ describe('SimpleSchema', function () {
     }).toThrow('"someArray" is Array type but the schema does not include a "someArray.$" definition for the array items');
   });
 
+  it('does not allow prototype pollution', function () {
+    const obj = {};
+    expect(obj.polluted).toBe(undefined);
+    const badObj = JSON.parse('{"__proto__":{"polluted":"yes"}}');
+    SimpleSchema.setDefaultMessages(badObj);
+    expect(obj.polluted).toBe(undefined);
+  });
+
   describe('nesting', function () {
     it('throws an error if a nested schema defines a field that its parent also defines', function () {
       expect(function () {

diff --git a/package/lib/utility/merge.js b/package/lib/utility/merge.js
@@ -11,6 +11,7 @@
 export default function merge(destination, ...sources) {
   sources.forEach((source) => {
     Object.keys(source).forEach((prop) => {
+      if (prop === '__proto__') return; // protect against prototype pollution
       if (
         source[prop]
         && source[prop].constructor