Skip to content

Commit

Permalink
fix(core): Prevent prototype pollution on injectable services (#6309)
Browse files Browse the repository at this point in the history
This helps prevent classes from being tampered by external-hooks or community nodes
  • Loading branch information
netroy authored May 26, 2023
1 parent 0631f69 commit d94c20a
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 5 deletions.
12 changes: 10 additions & 2 deletions patches/[email protected]
Original file line number Diff line number Diff line change
@@ -1,8 +1,16 @@
diff --git a/cjs/container-instance.class.js b/cjs/container-instance.class.js
index e473b1e652aa0b6e7462f7ba93fcef2812483b20..1e2ac7e5cb7943f5226a2bc25fa83bee0470f90c 100644
index e473b1e652aa0b6e7462f7ba93fcef2812483b20..1e406113d68c401ee170c997afb53e5f71edeee2 100644
--- a/cjs/container-instance.class.js
+++ b/cjs/container-instance.class.js
@@ -234,6 +234,7 @@ class ContainerInstance {
@@ -209,6 +209,7 @@ class ContainerInstance {
// this allows us to support javascript where we don't have decorators and emitted metadata about dependencies
// need to be injected, and user can use provided container to get instances he needs
params.push(this);
+ if (process.env.NODE_ENV === 'production') Object.freeze(constructableTargetType.prototype);
value = new constructableTargetType(...params);
// TODO: Calling this here, leads to infinite loop, because @Inject decorator registerds a handler
// TODO: which calls Container.get, which will check if the requested type has a value set and if not
@@ -234,6 +235,7 @@ class ContainerInstance {
*/
initializeParams(target, paramTypes) {
return paramTypes.map((paramType, index) => {
Expand Down
6 changes: 3 additions & 3 deletions pnpm-lock.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit d94c20a

Please sign in to comment.