From dff7140070c4e68731f17d577cca9fd82fe55498 Mon Sep 17 00:00:00 2001 From: Evert Timberg Date: Sun, 18 Oct 2020 13:47:08 -0400 Subject: [PATCH] When objects are merged together, the target prototype can be polluted. (#7918) * When objects are merged together, the target prototype can be polluted. This change blocks updates to the `__proto__` key during config merge --- src/helpers/helpers.core.js | 16 ++++++++++++++++ test/specs/helpers.core.tests.js | 5 +++++ 2 files changed, 21 insertions(+) diff --git a/src/helpers/helpers.core.js b/src/helpers/helpers.core.js index 6cf28c00d41..c975cb0fb66 100644 --- a/src/helpers/helpers.core.js +++ b/src/helpers/helpers.core.js @@ -1,5 +1,9 @@ 'use strict'; +function isValidKey(key) { + return ['__proto__', 'prototype', 'constructor'].indexOf(key) === -1; +} + /** * @namespace Chart.helpers */ @@ -196,6 +200,12 @@ var helpers = { * @private */ _merger: function(key, target, source, options) { + if (!isValidKey(key)) { + // We want to ensure we do not copy prototypes over + // as this can pollute global namespaces + return; + } + var tval = target[key]; var sval = source[key]; @@ -211,6 +221,12 @@ var helpers = { * @private */ _mergerIf: function(key, target, source) { + if (!isValidKey(key)) { + // We want to ensure we do not copy prototypes over + // as this can pollute global namespaces + return; + } + var tval = target[key]; var sval = source[key]; diff --git a/test/specs/helpers.core.tests.js b/test/specs/helpers.core.tests.js index 1f524089a21..d145bb21d0e 100644 --- a/test/specs/helpers.core.tests.js +++ b/test/specs/helpers.core.tests.js @@ -323,6 +323,11 @@ describe('Chart.helpers.core', function() { }); describe('merge', function() { + it('should not allow prototype pollution', function() { + var test = helpers.merge({}, JSON.parse('{"__proto__":{"polluted": true}}')); + expect(test.prototype).toBeUndefined(); + expect(Object.prototype.polluted).toBeUndefined(); + }); it('should update target and return it', function() { var target = {a: 1}; var result = helpers.merge(target, {a: 2, b: 'foo'});