8000 Security fix for Prototype Pollution by arjunshibu · Pull Request #1 · 418sec/NestedObjectAssign · GitHub
[go: up one dir, main page]
Skip to content
This repository was archived by the owner on Dec 19, 2023. It is now read-only.

Security fix for Prototype Pollution #1

Merged
merged 1 commit into from
Jan 28, 2021
Merged

Security fix for Prototype Pollution #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion src/nestedObjectAssign.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ export default function nestedObjectAssign(target, ...sources){

if (isObject(target) && isObject(source)){
for (const key in source){
if (isObject(source[key])){
if (isObject(source[key]) && !isPrototypePolluted(key)){
if (!target[key]) {
Object.assign(target, {[key]: {}});
}
Expand All @@ -28,4 +28,8 @@ export default function nestedObjectAssign(target, ...sources){
}

return nestedObjectAssign(target, ...sources);
}

function isPrototypePolluted(key){
return /__proto__|constructor|prototype/.test(key);
}
6 changes: 6 additions & 0 deletions test/nestedObjectAssign.spec.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,4 +69,10 @@ describe('Given an instance of nestedObjectAssign', function() {
expect(JSON.stringify(nestedObjectAssign({}, mockData.default, mockData.first, mockData.second))).to.be.equal(JSON.stringify(expectedData));
});
});
describe('when I give malicious payload', function() {
it('it should not pollute object prototype', () => {
nestedObjectAssign({}, JSON.parse('{"__proto__": {"polluted": true}}'));
expect({}.polluted).to.be.equal(undefined);
});
});
});
0