fix prototype pollution in deepMerge

jeremydaly · Oct 25, 2021 · 82cb6c4 · 82cb6c4
1 parent 7053473
commit 82cb6c4
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 3 deletions.
diff --git a/__tests__/utils.unit.js b/__tests__/utils.unit.js
@@ -450,4 +450,44 @@ describe("Utility Function Tests:", function () {
       });
     });
   }); // end parseS3 tests
+
+
+	describe("deepMerge", function () {
+
+		it("Should deep merge objects", function () {
+			let obj1 = {
+				"a": {
+					"b": {
+						"c": "test"
+					}
+				}
+			};
+			let obj2 = {
+				"a": {
+					"b": {
+						"c": "test2"
+					}
+				}
+			};
+
+			expect(utils.deepMerge(obj1, obj2)).toEqual({
+				"a": {
+					"b": {
+						"c": "test2"
+					}
+				}
+			});
+		})
+
+		it("Prevents prototype pollution", function () {
+			let payload = '{"__proto__":{"polluted":true}}';
+			expect({}.polluted).toBeUndefined();
+			utils.deepMerge({},JSON.parse(payload));
+			expect({}.polluted).toBeUndefined();
+		})
+
+
+	}); // end deepMerge tests
+
+
 }); // end UTILITY tests
diff --git a/lib/utils.js b/lib/utils.js
@@ -157,9 +157,11 @@ exports.parseS3 = (path) => {
 
 // Deep Merge
 exports.deepMerge = (a, b) => {
-  Object.keys(b).forEach((key) =>
-    key in a ? this.deepMerge(a[key], b[key]) : Object.assign(a, b)
-  );
+  Object.keys(b).forEach((key) => {
+    if (key === '__proto__') return;
+    if (typeof b[key] !== 'object') return Object.assign(a, b);
+    return key in a ? this.deepMerge(a[key], b[key]) : Object.assign(a, b);
+  });
   return a;
 };