Security Fix for Prototype Pollution

Fixing the issues in set() and deepFillIn()
ready-research · Sep 5, 2021 · 44d6965 · 44d6965
1 parent 46a319d
commit 44d6965
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/src/utils.js b/src/utils.js
@@ -62,6 +62,7 @@ const mkdirP = function (object, path) {
   }
   const parts = path.split('.')
   parts.forEach(function (key) {
+    if (isPrototypePolluted(key)) return
     if (!object[key]) {
       object[key] = {}
     }
@@ -419,6 +420,7 @@ const utils = {
   deepFillIn (dest, source) {
     if (source) {
       utils.forOwn(source, function (value, key) {
+        if (isPrototypePolluted(key)) return
         const existing = dest[key]
         if (isPlainObject(value) && isPlainObject(existing)) {
           utils.deepFillIn(existing, value)