Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fixed Prototype Pollution vulnerability (constructor). Thanks to Gill…
… from Snyk Security
  • Loading branch information
erayhanoglu committed Feb 2, 2022
1 parent 4766c34 commit 476d000
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 4 deletions.
2 changes: 1 addition & 1 deletion lib/merge.js
Expand Up @@ -33,7 +33,7 @@ function merge(target, source, options = {}) {
const keys = Object.getOwnPropertyNames(source);
keys.push(...Object.getOwnPropertySymbols(source));
for (const key of keys) {
if (key === '__proto__')
if (key === '__proto__' || key === 'constructor')
continue;
if (options.filter && !options.filter(source, key))
continue;
Expand Down
4 changes: 2 additions & 2 deletions package.json
Expand Up @@ -19,9 +19,9 @@
"object"
],
"devDependencies": {
"eslint": "^7.19.0",
"eslint": "^8.8.0",
"eslint-config-google": "^0.14.0",
"mocha": "^9.0.2",
"mocha": "^9.2.0",
"nyc": "^15.1.0"
},
"engines": {
Expand Down
9 changes: 8 additions & 1 deletion test/merge.js
Expand Up @@ -237,11 +237,18 @@ describe('merge', function() {
);
});

it('should prevent Prototype Pollution vulnerability', function() {
it('should prevent Prototype Pollution vulnerability (__proto__)', function() {
const payload = JSON.parse('{"__proto__":{"polluted":"Yes! Its Polluted"}}');
const obj = {};
merge(obj, payload, {deep: true});
assert.strictEqual(obj.polluted, undefined);
});

it('should prevent Prototype Pollution vulnerability (constructor)', function() {
const payload = JSON.parse('{"constructor": {"prototype": {"polluted": "yes"}}}');
let obj = {};
merge(obj, payload, {deep: true});
assert.strictEqual(obj.polluted, undefined);
});

});

0 comments on commit 476d000

Please sign in to comment.