Skip to content

Commit

Permalink
Security fix for Prototype Pollution
Browse files Browse the repository at this point in the history
  • Loading branch information
arjunshibu committed Jan 28, 2021
1 parent f63a28f commit 3a6d2cb
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 1 deletion.
6 changes: 5 additions & 1 deletion src/nestedObjectAssign.js
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ export default function nestedObjectAssign(target, ...sources){

if (isObject(target) && isObject(source)){
for (const key in source){
if (isObject(source[key])){
if (isObject(source[key]) && !isPrototypePolluted(key)){
if (!target[key]) {
Object.assign(target, {[key]: {}});
}
Expand All @@ -28,4 +28,8 @@ export default function nestedObjectAssign(target, ...sources){
}

return nestedObjectAssign(target, ...sources);
}

function isPrototypePolluted(key){
return /__proto__|constructor|prototype/.test(key);
}
6 changes: 6 additions & 0 deletions test/nestedObjectAssign.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -69,4 +69,10 @@ describe('Given an instance of nestedObjectAssign', function() {
expect(JSON.stringify(nestedObjectAssign({}, mockData.default, mockData.first, mockData.second))).to.be.equal(JSON.stringify(expectedData));
});
});
describe('when I give malicious payload', function() {
it('it should not pollute object prototype', () => {
nestedObjectAssign({}, JSON.parse('{"__proto__": {"polluted": true}}'));
expect({}.polluted).to.be.equal(undefined);
});
});
});

0 comments on commit 3a6d2cb

Please sign in to comment.