fix __proto__ pollution vector in uPlot.assign()

leeoniya · Feb 2, 2024 · 5756e3e · 5756e3e
1 parent b0fd072
commit 5756e3e
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 25 deletions.
diff --git a/dist/uPlot.cjs.js b/dist/uPlot.cjs.js
@@ -566,6 +566,8 @@ function fastIsObj(v) {
 
 const TypedArray = Object.getPrototypeOf(Uint8Array);
 
+const __proto__ = "__proto__";
+
 function copy(o, _isObj = isObj) {
 	let out;
 
@@ -584,8 +586,10 @@ function copy(o, _isObj = isObj) {
 		out = o.slice();
 	else if (_isObj(o)) {
 		out = {};
-		for (let k in o)
-			out[k] = copy(o[k], _isObj);
+		for (let k in o) {
+			if (k != __proto__)
+				out[k] = copy(o[k], _isObj);
+		}
 	}
 	else
 		out = o;
@@ -600,10 +604,12 @@ function assign(targ) {
 		let src = args[i];
 
 		for (let key in src) {
-			if (isObj(targ[key]))
-				assign(targ[key], copy(src[key]));
-			else
-				targ[key] = copy(src[key]);
+			if (key != __proto__) {
+				if (isObj(targ[key]))
+					assign(targ[key], copy(src[key]));
+				else
+					targ[key] = copy(src[key]);
+			}
 		}
 	}
 

diff --git a/dist/uPlot.esm.js b/dist/uPlot.esm.js
@@ -564,6 +564,8 @@ function fastIsObj(v) {
 
 const TypedArray = Object.getPrototypeOf(Uint8Array);
 
+const __proto__ = "__proto__";
+
 function copy(o, _isObj = isObj) {
 	let out;
 
@@ -582,8 +584,10 @@ function copy(o, _isObj = isObj) {
 		out = o.slice();
 	else if (_isObj(o)) {
 		out = {};
-		for (let k in o)
-			out[k] = copy(o[k], _isObj);
+		for (let k in o) {
+			if (k != __proto__)
+				out[k] = copy(o[k], _isObj);
+		}
 	}
 	else
 		out = o;
@@ -598,10 +602,12 @@ function assign(targ) {
 		let src = args[i];
 
 		for (let key in src) {
-			if (isObj(targ[key]))
-				assign(targ[key], copy(src[key]));
-			else
-				targ[key] = copy(src[key]);
+			if (key != __proto__) {
+				if (isObj(targ[key]))
+					assign(targ[key], copy(src[key]));
+				else
+					targ[key] = copy(src[key]);
+			}
 		}
 	}
 

diff --git a/dist/uPlot.iife.js b/dist/uPlot.iife.js
@@ -567,6 +567,8 @@ var uPlot = (function () {
 
 	const TypedArray = Object.getPrototypeOf(Uint8Array);
 
+	const __proto__ = "__proto__";
+
 	function copy(o, _isObj = isObj) {
 		let out;
 
@@ -585,8 +587,10 @@ var uPlot = (function () {
 			out = o.slice();
 		else if (_isObj(o)) {
 			out = {};
-			for (let k in o)
-				out[k] = copy(o[k], _isObj);
+			for (let k in o) {
+				if (k != __proto__)
+					out[k] = copy(o[k], _isObj);
+			}
 		}
 		else
 			out = o;
@@ -601,10 +605,12 @@ var uPlot = (function () {
 			let src = args[i];
 
 			for (let key in src) {
-				if (isObj(targ[key]))
-					assign(targ[key], copy(src[key]));
-				else
-					targ[key] = copy(src[key]);
+				if (key != __proto__) {
+					if (isObj(targ[key]))
+						assign(targ[key], copy(src[key]));
+					else
+						targ[key] = copy(src[key]);
+				}
 			}
 		}
 

diff --git a/dist/uPlot.iife.min.js b/dist/uPlot.iife.min.js
diff --git a/src/utils.js b/src/utils.js
@@ -407,6 +407,8 @@ export function fastIsObj(v) {
 
 const TypedArray = Object.getPrototypeOf(Uint8Array);
 
+const __proto__ = "__proto__";
+
 export function copy(o, _isObj = isObj) {
 	let out;
 
@@ -425,8 +427,10 @@ export function copy(o, _isObj = isObj) {
 		out = o.slice();
 	else if (_isObj(o)) {
 		out = {};
-		for (let k in o)
-			out[k] = copy(o[k], _isObj);
+		for (let k in o) {
+			if (k != __proto__)
+				out[k] = copy(o[k], _isObj);
+		}
 	}
 	else
 		out = o;
@@ -441,10 +445,12 @@ export function assign(targ) {
 		let src = args[i];
 
 		for (let key in src) {
-			if (isObj(targ[key]))
-				assign(targ[key], copy(src[key]));
-			else
-				targ[key] = copy(src[key]);
+			if (key != __proto__) {
+				if (isObj(targ[key]))
+					assign(targ[key], copy(src[key]));
+				else
+					targ[key] = copy(src[key]);
+			}
 		}
 	}