8000 Merge pull request #11 from 418sec/1-npm-nested-object-assign · Geta/NestedObjectAssign@676f6b7 · GitHub
[go: up one dir, main page]
Skip to content

Commit 676f6b7

Browse files
eirhoreirhor
authored
Merge pull request #11 from 418sec/1-npm-nested-object-assign
Security Fix for Prototype Pollution - huntr.dev
2 parents f63a28f + 7df2223 commit 676f6b7

File tree

2 files changed

+11
-1
lines changed

2 files changed

+11
-1
lines changed

src/nestedObjectAssign.js

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ export default function nestedObjectAssign(target, ...sources){
99

1010
if (isObject(target) && isObject(source)){
1111
for (const key in source){
12-
if (isObject(source[key])){
12+
if (isObject(source[key]) && !isPrototypePolluted(key)){
1313
if (!target[key]) {
1414
Object.assign(target, {[key]: {}});
1515
}
@@ -28,4 +28,8 @@ export default function nestedObjectAssign(target, ...sources){
2828
}
2929

3030
return nestedObjectAssign(target, ...sources);
31+
}
32+
33+
function isPrototypePolluted(key){
34+
return /__proto__|constructor|prototype/.test(key);
3135
}

test/nestedObjectAssign.spec.js

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,4 +69,10 @@ describe('Given an instance of nestedObjectAssign', function() {
6969
expect(JSON.stringify(nestedObjectAssign({}, mockData.default, mockData.first, mockData.second))).to.be.equal(JSON.stringify(expectedData));
7070
});
7171
});
72+
describe('when I give malicious payload', function() {
73+
it('it should not pollute object prototype', () => {
74+
nestedObjectAssign({}, JSON.parse('{"__proto__": {"polluted": true}}'));
75+
expect({}.polluted).to.be.equal(undefined);
76+
});
77+
});
7278
});

0 commit comments

Comments
 (0)
0