fix: address prototype pollution

yargs · Jan 4, 2021 · 90401ee · 90401ee
1 parent 77f684e
commit 90401ee
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,6 @@
+### 3.2.2 (2021-01-04)
+
+
+### Bug Fixes
+
+* address prototype pollution issue ([#108](https://www.github.com/yargs/y18n/issues/108)) ([a9ac604](https://www.github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25))
diff --git a/index.js b/index.js
@@ -11,7 +11,7 @@ function Y18N (opts) {
   this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
 
   // internal stuff.
-  this.cache = {}
+  this.cache = Object.create(null)
   this.writeQueue = []
 }
 

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "y18n",
-  "version": "3.2.1",
+  "version": "3.2.2",
   "description": "the bare-bones internationalization library used by yargs",
   "main": "index.js",
   "scripts": {

diff --git a/test/y18n-test.js b/test/y18n-test.js
@@ -336,6 +336,24 @@ describe('y18n', function () {
     })
   })
 
+  // See: https://github.com/yargs/y18n/issues/96,
+  // https://github.com/yargs/y18n/pull/107
+  describe('prototype pollution', function () {
+    it('does not pollute prototype, with __proto__ locale', function () {
+      const y = y18n()
+      y.setLocale('__proto__')
+      y.updateLocale({ polluted: '👽' })
+      y.__('polluted').should.equal('👽')
+      ;(typeof polluted).should.equal('undefined')
+    })
+
+    it('does not pollute prototype, when __ is used with __proto__ locale', function () {
+      const __ = y18n({ locale: '__proto__' }).__
+      __('hello')
+      ;(typeof {}.hello).should.equal('undefined')
+    })
+  })
+
   after(function () {
     rimraf.sync('./test/locales/fr.json')
   })