fix(security): fixed formToJSON prototype pollution vulnerability; (a…

…xios#6167)
qiongshusheng · Feb 22, 2024 · 602ce0a · 602ce0a
1 parent ce46346
commit 602ce0a
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 3 deletions.
diff --git a/lib/helpers/formDataToJSON.js b/lib/helpers/formDataToJSON.js
@@ -27,9 +27,12 @@ function arrayToObject(arr) {
 
 function formDataToJSON(formData) {
   function buildPath(path, value, target, index) {
-    var name = path[index++];
-    var isNumericKey = Number.isFinite(+name);
-    var isLast = index >= path.length;
+    let name = path[index++];
+
+    if (name === '__proto__') return true;
+
+    const isNumericKey = Number.isFinite(+name);
+    const isLast = index >= path.length;
     name = !name && utils.isArray(target) ? target.length : name;
 
     if (isLast) {

diff --git a/test/specs/helpers/formDataToJSON.spec.js b/test/specs/helpers/formDataToJSON.spec.js
@@ -47,4 +47,25 @@ describe('formDataToJSON', function () {
       foo: ['1', '2']
     });
   });
+
+  it('should resist prototype pollution CVE', () => {
+    const formData = new FormData();
+
+    formData.append('foo[0]', '1');
+    formData.append('foo[1]', '2');
+    formData.append('__proto__.x', 'hack');
+    formData.append('constructor.prototype.y', 'value');
+
+    expect(formDataToJSON(formData)).toEqual({
+      foo: ['1', '2'],
+      constructor: {
+        prototype: {
+          y: 'value'
+        }
+      }
+    });
+
+    expect({}.x).toEqual(undefined);
+    expect({}.y).toEqual(undefined);
+  });
 });