Prevent access to __proto__

Signed-off-by: andrew-coleman <[email protected]>
jsonata-js · Feb 29, 2024 · c907b5e · c907b5e
1 parent d7790e8
commit c907b5e
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 1 deletion.
diff --git a/src/jsonata.js b/src/jsonata.js
@@ -1293,6 +1293,13 @@ var jsonata = (function() {
                 }
                 for(var ii = 0; ii < matches.length; ii++) {
                     var match = matches[ii];
+                    if (match && match.isPrototypeOf(result)) {
+                        throw {
+                            code: "D1010",
+                            stack: (new Error()).stack,
+                            position: expr.position
+                        };
+                    }
                     // evaluate the update value for each match
                     var update = await evaluate(expr.update, match, environment);
                     // update must be an object
@@ -1539,7 +1546,7 @@ var jsonata = (function() {
                 if (typeof err.token == 'undefined' && typeof proc.token !== 'undefined') {
                     err.token = proc.token;
                 }
-                err.position = proc.position;
+                err.position = proc.position || err.position;
             }
             throw err;
         }
@@ -1972,6 +1979,7 @@ var jsonata = (function() {
         "T1007": "Attempted to partially apply a non-function. Did you mean ${{{token}}}?",
         "T1008": "Attempted to partially apply a non-function",
         "D1009": "Multiple key definitions evaluate to same key: {{value}}",
+        "D1010": "Attempted to access the Javascript object prototype", // Javascript specific 
         "T1010": "The matcher function argument passed to function {{token}} does not return the correct object structure",
         "T2001": "The left side of the {{token}} operator must evaluate to a number",
         "T2002": "The right side of the {{token}} operator must evaluate to a number",

diff --git a/test/implementation-tests.js b/test/implementation-tests.js
@@ -955,6 +955,26 @@ describe("Tests that are specific to a Javascript runtime", () => {
             });
         });
     });
+    describe("Expressions that attempt to pollute the object prototype", function() {
+        it("should throw an error with __proto__", async function() {
+            const expr = jsonata('{} ~> | __proto__ | {"is_admin": true} |');
+            expect(
+                expr.evaluate()
+            ).to.eventually.be.rejected.to.deep.contain({
+                position: 7,
+                code: "D1010",
+            });
+        });
+        it("should throw an error with __lookupGetter__", async function() {
+            const expr = jsonata('{} ~> | __lookupGetter__("__proto__")() | {"is_admin": true} |');
+            expect(
+                expr.evaluate()
+            ).to.eventually.be.rejected.to.deep.contain({
+                position: 7,
+                code: "D1010",
+            });
+        });
+    });
 });
 
 describe("Test that yield platform specific results", () => {