From 5ce8afdd1671b08c774ce106b000605ba8fccf78 Mon Sep 17 00:00:00 2001 From: Rik Smale <13023439+WikiRik@users.noreply.github.com> Date: Fri, 24 Nov 2023 20:36:06 +0100 Subject: [PATCH] fix: deny modifying the object prototype (#1698) --- src/shared/object.ts | 5 ++++- test/specs/utils/object.spec.ts | 9 +++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/src/shared/object.ts b/src/shared/object.ts index ac78339d..768fd8b5 100644 --- a/src/shared/object.ts +++ b/src/shared/object.ts @@ -14,7 +14,10 @@ export function deepAssign(target: T, source: S): T & S; export function deepAssign(target: {}, source: S): S; export function deepAssign(target: any, ...sources: any[]): any { sources.forEach((source) => { - Object.getOwnPropertyNames(source).forEach((key) => assign(key, target, source)); + Object.getOwnPropertyNames(source).forEach( + (key) => + !['__proto__', 'constructor', 'prototype'].includes(key) && assign(key, target, source) + ); /* istanbul ignore next */ if (Object.getOwnPropertySymbols) { Object.getOwnPropertySymbols(source).forEach((key) => assign(key, target, source)); diff --git a/test/specs/utils/object.spec.ts b/test/specs/utils/object.spec.ts index 5a6289fd..7e8f475a 100644 --- a/test/specs/utils/object.spec.ts +++ b/test/specs/utils/object.spec.ts @@ -1,5 +1,6 @@ import { expect } from 'chai'; import { deepAssign } from '../../../src/shared/object'; +import { addScopeOptions } from '../../../src/scopes/scope-service'; describe('utils', () => { describe('object', () => { @@ -109,6 +110,14 @@ describe('utils', () => { expect(copy.test).to.have.property('protoFn').that.is.a('function'); }); + it('ignore prototype property', () => { + const BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}'); + const empty_scope = {}; + + addScopeOptions(empty_scope, BAD_JSON); + expect(empty_scope).not.to.have.property('polluted'); + }); + if (Object.getOwnPropertySymbols) { it('should copy symbol based objects', () => { const symbol = Symbol('test');