Skip to content

Commit

Permalink
Merge pull request #6704 from plotly/nestedProperty-proto
Browse files Browse the repository at this point in the history
Fix potential prototype pollution in `nestedProperty`
  • Loading branch information
archmoj authored Aug 11, 2023
2 parents a860a32 + 5cfbd6e commit 0249840
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 3 deletions.
11 changes: 9 additions & 2 deletions src/lib/nested_property.js
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,20 @@ module.exports = function nestedProperty(container, propStr) {
throw 'bad property string';
}

var j = 0;
var propParts = propStr.split('.');
var indexed;
var indices;
var i;
var i, j;

for(j = 0; j < propParts.length; j++) {
// guard against polluting __proto__ and other internals
if(String(propParts[j]).slice(0, 2) === '__') {
throw 'bad property string';
}
}

// check for parts of the nesting hierarchy that are numbers (ie array elements)
j = 0;
while(j < propParts.length) {
// look for non-bracket chars, then any number of [##] blocks
indexed = String(propParts[j]).match(/^([^\[\]]*)((\[\-?[0-9]*\])+)$/);
Expand Down
4 changes: 3 additions & 1 deletion test/jasmine/tests/lib_test.js
Original file line number Diff line number Diff line change
Expand Up @@ -468,7 +468,9 @@ describe('Test lib.js:', function() {

it('should fail on a bad property string', function() {
var badStr = [
[], {}, false, undefined, null, NaN, Infinity
[], {}, false, undefined, null, NaN, Infinity,
// should guard against prototype pollution
'x.__proto__.polluted', 'x.y.__proto__.polluted'
];

function badProp(i) {
Expand Down

0 comments on commit 0249840

Please sign in to comment.