fix: prototype pollution

swordev · Feb 22, 2021 · 7b0ddc2 · 7b0ddc2
1 parent 8686d85
commit 7b0ddc2
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 4 deletions.
diff --git a/dist/merge.browser.min.js b/dist/merge.browser.min.js
diff --git a/dist/merge.browser.test.js b/dist/merge.browser.test.js
@@ -62,10 +62,13 @@ exports.isPlainObject = isPlainObject;
 function _recursiveMerge(base, extend) {
     if (!isPlainObject(base))
         return extend;
-    for (var key in extend)
+    for (var key in extend) {
+        if (key === '__proto__' || key === 'constructor' || key === 'prototype')
+            continue;
         base[key] = (isPlainObject(base[key]) && isPlainObject(extend[key])) ?
             _recursiveMerge(base[key], extend[key]) :
             extend[key];
+    }
     return base;
 }
 function _merge(isClone, isRecursive, items) {
@@ -194,6 +197,9 @@ describe('merge.recursive', function () {
     });
     it('prototype pollution attack', function () {
         chai_1.assert.deepEqual(index_1.default.recursive({}, JSON.parse('{"__proto__": {"a": true}}')), {});
+        chai_1.assert.equal({}['a'], undefined);
+        chai_1.assert.deepEqual(index_1.default.recursive({ deep: {} }, JSON.parse('{ "deep": { "__proto__": {"b": true} }}')), { deep: {} });
+        chai_1.assert.equal({}['b'], undefined);
     });
 });
 

diff --git a/lib/src/index.js b/lib/src/index.js
@@ -55,10 +55,13 @@ exports.isPlainObject = isPlainObject;
 function _recursiveMerge(base, extend) {
     if (!isPlainObject(base))
         return extend;
-    for (var key in extend)
+    for (var key in extend) {
+        if (key === '__proto__' || key === 'constructor' || key === 'prototype')
+            continue;
         base[key] = (isPlainObject(base[key]) && isPlainObject(extend[key])) ?
             _recursiveMerge(base[key], extend[key]) :
             extend[key];
+    }
     return base;
 }
 function _merge(isClone, isRecursive, items) {

diff --git a/lib/test/index.js b/lib/test/index.js
@@ -99,5 +99,8 @@ describe('merge.recursive', function () {
     });
     it('prototype pollution attack', function () {
         chai_1.assert.deepEqual(index_1.default.recursive({}, JSON.parse('{"__proto__": {"a": true}}')), {});
+        chai_1.assert.equal({}['a'], undefined);
+        chai_1.assert.deepEqual(index_1.default.recursive({ deep: {} }, JSON.parse('{ "deep": { "__proto__": {"b": true} }}')), { deep: {} });
+        chai_1.assert.equal({}['b'], undefined);
     });
 });
diff --git a/src/index.ts b/src/index.ts
@@ -61,10 +61,12 @@ function _recursiveMerge(base: any, extend: any) {
 	if (!isPlainObject(base))
 		return extend
 
-	for (const key in extend)
+	for (const key in extend) {
+		if (key === '__proto__' || key === 'constructor' || key === 'prototype') continue
 		base[key] = (isPlainObject(base[key]) && isPlainObject(extend[key])) ?
 			_recursiveMerge(base[key], extend[key]) :
 			extend[key]
+	}
 
 	return base
 

diff --git a/test/index.ts b/test/index.ts
@@ -219,6 +219,15 @@ describe('merge.recursive', function () {
 			{}
 		)
 
+		assert.equal(({} as any)['a'], undefined)
+
+		assert.deepEqual(
+			merge.recursive({ deep: {} }, JSON.parse('{ "deep": { "__proto__": {"b": true} }}')),
+			{ deep: {} }
+		)
+
+		assert.equal(({} as any)['b'], undefined)
+
 	})
 
 })