fix(slides): resolve prototype pollution in swiper v5 (#23344)

resolves #23342
ionic-team · May 21, 2021 · a708c41 · a708c41
1 parent d473a53
commit a708c41
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 16 deletions.
diff --git a/core/package.json b/core/package.json
@@ -67,8 +67,7 @@
     "typescript": "^4.0.5"
   },
   "scripts": {
-    "build": "npm run clean && npm run build.css && npm run build.vendor && stencil build --docs --es5 --docs-json dist/docs.json && npm run cdnloader",
-    "build.vendor": "rollup --config ./scripts/swiper.rollup.config.js",
+    "build": "npm run clean && npm run build.css && stencil build --docs --es5 --docs-json dist/docs.json && npm run cdnloader",
     "build.css": "npm run css.sass && npm run css.minify",
     "build.debug": "npm run clean && stencil build --debug",
     "build.docs": "stencil build --docs",

diff --git a/core/scripts/swiper.rollup.config.js b/core/scripts/swiper.rollup.config.js
diff --git a/core/src/components/slides/swiper/swiper.bundle.js b/core/src/components/slides/swiper/swiper.bundle.js
@@ -970,10 +970,11 @@ const Utils = {
   },
   extend(...args) {
     const to = Object(args[0]);
+    const noExtend = ['__proto__', 'constructor', 'prototype'];
     for (let i = 1; i < args.length; i += 1) {
       const nextSource = args[i];
       if (nextSource !== undefined && nextSource !== null) {
-        const keysArray = Object.keys(Object(nextSource));
+        const keysArray = Object.keys(Object(nextSource)).filter((key) => noExtend.indexOf(key) < 0);
         for (let nextIndex = 0, len = keysArray.length; nextIndex < len; nextIndex += 1) {
           const nextKey = keysArray[nextIndex];
           const desc = Object.getOwnPropertyDescriptor(nextSource, nextKey);
@@ -6403,7 +6404,6 @@ const components = [
   Browser$1,
   Resize,
   Observer$1,
-
 ];
 
 if (typeof Swiper.use === 'undefined') {