Skip to content
Permalink
Browse files
fix: address prototype pollution issue (#108)
  • Loading branch information
bcoe committed Oct 25, 2020
1 parent 61a8b9a commit a9ac604abf756dec9687be3843e2c93bfe581f25
Showing with 19 additions and 1 deletion.
  1. +1 −1 lib/index.ts
  2. +18 −0 test/y18n-test.cjs
@@ -47,7 +47,7 @@ class Y18N {
this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true

// internal stuff.
this.cache = {}
this.cache = Object.create(null)
this.writeQueue = []
}

@@ -351,6 +351,24 @@ describe('y18n', function () {
})
})

// See: https://github.com/yargs/y18n/issues/96,
// https://github.com/yargs/y18n/pull/107
describe('prototype pollution', () => {
it('does not pollute prototype, with __proto__ locale', () => {
const y = y18n()
y.setLocale('__proto__')
y.updateLocale({ polluted: '👽' })
y.__('polluted').should.equal('👽')
;(typeof polluted).should.equal('undefined')
})

it('does not pollute prototype, when __ is used with __proto__ locale', () => {
const __ = y18n({ locale: '__proto__' }).__
__('hello')
;(typeof {}.hello).should.equal('undefined')
})
})

after(function () {
rimraf.sync('./test/locales/fr.json')
})

0 comments on commit a9ac604

Please sign in to comment.