From 8b714aa04d0ae6177982bff1c25628df2be926f7 Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Wed, 28 Oct 2020 13:14:59 -0700 Subject: [PATCH 1/2] [Tests] fix test suite --- package.json | 3 ++- test/object.js | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 21314d14a..bc8ae74ca 100644 --- a/package.json +++ b/package.json @@ -96,7 +96,8 @@ "rollup-plugin-node-resolve": "^5.2.0", "rollup-plugin-size-snapshot": "^0.12.0", "sinon": "^9.2.0", - "sinon-chai": "^3.5.0" + "sinon-chai": "^3.5.0", + "synchronous-promise": "^2.0.15" }, "dependencies": { "@babel/runtime": "^7.10.5", diff --git a/test/object.js b/test/object.js index 6d56ae939..18cf67378 100644 --- a/test/object.js +++ b/test/object.js @@ -153,7 +153,7 @@ describe('Object types', () => { err.message.should.match(/must be a `string` type/); }); - it.only('should respect child schema with strict()', async () => { + it('should respect child schema with strict()', async () => { inst = object({ field: number().strict(), }); From 243eeef41aac3d767c96aff8ed4e69bb52d31fbb Mon Sep 17 00:00:00 2001 From: Jordan Harband Date: Wed, 28 Oct 2020 14:12:44 -0700 Subject: [PATCH 2/2] [Fix] `setLocale`: do not allow prototype pollution --- src/locale.js | 4 ++-- test/setLocale.js | 16 ++++++++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/src/locale.js b/src/locale.js index 6838516f6..2fdbe80a3 100644 --- a/src/locale.js +++ b/src/locale.js @@ -63,7 +63,7 @@ export let array = { max: '${path} field must have less than or equal to ${max} items', }; -export default { +export default Object.assign(Object.create(null), { mixed, string, number, @@ -71,4 +71,4 @@ export default { object, array, boolean, -}; +}); diff --git a/test/setLocale.js b/test/setLocale.js index 81b93baa6..7582ac15a 100644 --- a/test/setLocale.js +++ b/test/setLocale.js @@ -23,4 +23,20 @@ describe('Custom locale', () => { const locale = require('../src/locale').default; expect(locale.string.email).to.equal('Invalid email'); }); + + it('should not allow prototype pollution', () => { + const payload = JSON.parse('{"__proto__":{"polluted":"Yes! Its Polluted"}}'); + + expect(() => setLocale(payload)).to.throw(); + + expect(payload).not.to.have.property('polluted'); + }); + + it('should not pollute Object.prototype builtins', () => { + const payload = { toString: { polluted: 'oh no' } }; + + expect(() => setLocale(payload)).to.throw(); + + expect(Object.prototype.toString).not.to.have.property('polluted'); + }); });