Prevent Object prototype pollution.

See https://hackerone.com/reports/311333.
unclechu · Apr 27, 2018 · 3543599 · 3543599
1 parent 9653940
commit 3543599
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/lib/deep-extend.js b/lib/deep-extend.js
@@ -102,8 +102,8 @@ var deepExtend = module.exports = function (/*obj_1, [obj_2], [obj_N]*/) {
 		}
 
 		Object.keys(obj).forEach(function (key) {
-			src = target[key]; // source value
-			val = obj[key]; // new value
+			src = safeGetProperty(target, key); // source value
+			val = safeGetProperty(obj, key); // new value
 
 			// recursion prevention
 			if (val === target) {
@@ -142,3 +142,7 @@ var deepExtend = module.exports = function (/*obj_1, [obj_2], [obj_N]*/) {
 
 	return target;
 }
+
+function safeGetProperty(object, property) {
+	return property === '__proto__' ? undefined : object[property];
+}
diff --git a/test/index.spec.js b/test/index.spec.js
@@ -235,4 +235,12 @@ describe('deep-extend', function () {
 		});
 	});
 
+	// Vulnerability reported via hacker1: https://hackerone.com/reports/311333
+	it('should not modify Object prototype (hacker1 #311333)', function () {
+		var a = {};
+		extend({}, JSON.parse('{"__proto__":{"oops":"It works!"}}'))
+		should.not.exist(a.oops);
+		should.not.exist(Object.prototype.oops);
+	});
+
 });