fixed issue#33 CVE-2022-25645 added test for it

lukeed · May 3, 2022 · 5c9ebb0 · 5c9ebb0
1 parent 56923fe
commit 5c9ebb0
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 2 deletions.
diff --git a/package.json b/package.json
@@ -51,8 +51,8 @@
  "set"
  ],
  "devDependencies": {
- "bundt": "1.1.2",
+ "bundt": "1.1.5",
  "esm": "3.2.25",
- "uvu": "0.5.1"
+ "uvu": "0.5.3"
  }
 }
diff --git a/src/merge.js b/src/merge.js
@@ -6,6 +6,7 @@ export function merge(a, b, k) {
  }
  } else {
  for (k in b) {
+ if (k === '__proto__' || k === 'constructor' || k === 'prototype') break;
  a[k] = merge(a[k], b[k]);
  }
  }

diff --git a/test/suites/pollution.js b/test/suites/pollution.js
@@ -85,5 +85,18 @@ export default function (dset) {
  });
  });
 
+ // Test for CVE-2022-25645 - CWE-1321 
+ pollution(
+ "should ignore JSON.parse crafted object including __proto__ :: provided by snyk",
+ () => {
+ var a = { b: { c: 1 } };
+ assert.is(a.polluted, undefined);
+ assert.is({}.polluted, undefined);
+ dset(a, "b", JSON.parse('{"__proto__":{"polluted":"Yes!"}}')); //Needs to craft payload with JSON.parse to keep the object key proto
+ assert.is(a.polluted, undefined);
+ assert.is({}.polluted, undefined);
+ }
+ );
+
  pollution.run();
 }