Merge pull request #11 from 418sec/1-npm-nested-object-assign

Security Fix for Prototype Pollution - huntr.dev
Geta · Jan 28, 2021 · 676f6b7 · 676f6b7
2 parents f63a28f + 7df2223
commit 676f6b7
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/src/nestedObjectAssign.js b/src/nestedObjectAssign.js
@@ -9,7 +9,7 @@ export default function nestedObjectAssign(target, ...sources){
 
     if (isObject(target) && isObject(source)){
         for (const key in source){
-            if (isObject(source[key])){
+            if (isObject(source[key]) && !isPrototypePolluted(key)){
                 if (!target[key]) {
                     Object.assign(target, {[key]: {}});
                 }
@@ -28,4 +28,8 @@ export default function nestedObjectAssign(target, ...sources){
     }
 
     return nestedObjectAssign(target, ...sources);
+}
+
+function isPrototypePolluted(key){
+    return /__proto__|constructor|prototype/.test(key);
 }
diff --git a/test/nestedObjectAssign.spec.js b/test/nestedObjectAssign.spec.js
@@ -69,4 +69,10 @@ describe('Given an instance of nestedObjectAssign', function() {
             expect(JSON.stringify(nestedObjectAssign({}, mockData.default, mockData.first, mockData.second))).to.be.equal(JSON.stringify(expectedData));
         });
     });
+    describe('when I give malicious payload', function() {
+        it('it should not pollute object prototype', () => {
+            nestedObjectAssign({}, JSON.parse('{"__proto__": {"polluted": true}}'));
+            expect({}.polluted).to.be.equal(undefined);
+        });
+    });
 });