fix: potential prototype pollution attacks (#10455)

Prevent event listeners of type "__proto__" to pollute the global Object prototype. This is fixed by creating objects with null prototype so they don't have a "__proto__" property.
react-navigation · Nov 27, 2022 · aa062f0 · aa062f0
1 parent cdf1b72
commit aa062f0
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 5 deletions.
diff --git a/packages/core/src/useEventEmitter.tsx b/packages/core/src/useEventEmitter.tsx
@@ -21,7 +21,9 @@ export default function useEventEmitter<T extends Record<string, any>>(
     listenRef.current = listen;
   });
 
-  const listeners = React.useRef<Record<string, Record<string, Listeners>>>({});
+  const listeners = React.useRef<Record<string, Record<string, Listeners>>>(
+    Object.create(null)
+  );
 
   const create = React.useCallback((target: string) => {
     const removeListener = (type: string, callback: (data: any) => void) => {

diff --git a/packages/core/src/useKeyedChildListeners.tsx b/packages/core/src/useKeyedChildListeners.tsx
@@ -11,10 +11,12 @@ export default function useKeyedChildListeners() {
       string,
       KeyedListenerMap[K] | undefined
     >;
-  }>({
-    getState: {},
-    beforeRemove: {},
-  });
+  }>(
+    Object.assign(Object.create(null), {
+      getState: {},
+      beforeRemove: {},
+    })
+  );
 
   const addKeyedListener = React.useCallback(
     <T extends keyof KeyedListenerMap>(