Block incorrect keys in merge code to prevent prototype pollution (#7919)

author Evert Timberg <evert.timberg+github@gmail.com>

Sun, 18 Oct 2020 18:16:20 +0000 (14:16 -0400)

committer GitHub <noreply@github.com>

Sun, 18 Oct 2020 18:16:20 +0000 (21:16 +0300)
author Evert Timberg <evert.timberg+github@gmail.com>
Sun, 18 Oct 2020 18:16:20 +0000 (14:16 -0400)
committer GitHub <noreply@github.com>
Sun, 18 Oct 2020 18:16:20 +0000 (21:16 +0300)
diff --git a/src/helpers/helpers.core.js b/src/helpers/helpers.core.js

index ec936deb5a860324f0aeca9eaea9eb97c2244c29..89bf473bd2a6c3278973b24e40de2372d7a7d320 100644 (file)
--- a/src/helpers/helpers.core.js
+++ b/src/helpers/helpers.core.js
@@ -172,12 +172,20 @@ export function clone(source) {
         return source;
  }
  
+function isValidKey(key) {
+       return ['__proto__', 'prototype', 'constructor'].indexOf(key) === -1;
+}
+
  /**
   * The default merger when Chart.helpers.merge is called without merger option.
   * Note(SB): also used by mergeConfig and mergeScaleConfig as fallback.
   * @private
   */
  export function _merger(key, target, source, options) {
+       if (!isValidKey(key)) {
+               return;
+       }
+
         const tval = target[key];
         const sval = source[key];
  
@@ -241,6 +249,10 @@ export function mergeIf(target, source) {
   * @private
   */
  export function _mergerIf(key, target, source) {
+       if (!isValidKey(key)) {
+               return;
+       }
+
         const tval = target[key];
         const sval = source[key];
  
diff --git a/test/specs/helpers.core.tests.js b/test/specs/helpers.core.tests.js

index 23a0df539cc48c2dd9f296b130683a5615ec6c88..0f38613f1c2cb377ff2ec42ba99c587c8a68f557 100644 (file)
--- a/test/specs/helpers.core.tests.js
+++ b/test/specs/helpers.core.tests.js
@@ -272,6 +272,11 @@ describe('Chart.helpers.core', function() {
         });
  
         describe('merge', function() {
+               it('should not allow prototype pollution', function() {
+                       var test = helpers.merge({}, JSON.parse('{"__proto__":{"polluted": true}}'));
+                       expect(test.prototype).toBeUndefined();
+                       expect(Object.prototype.polluted).toBeUndefined();
+               });
                 it('should update target and return it', function() {
                         var target = {a: 1};
                         var result = helpers.merge(target, {a: 2, b: 'foo'});
@@ -319,6 +324,11 @@ describe('Chart.helpers.core', function() {
         });
  
         describe('mergeIf', function() {
+               it('should not allow prototype pollution', function() {
+                       var test = helpers.mergeIf({}, JSON.parse('{"__proto__":{"polluted": true}}'));
+                       expect(test.prototype).toBeUndefined();
+                       expect(Object.prototype.polluted).toBeUndefined();
+               });
                 it('should update target and return it', function() {
                         var target = {a: 1};
                         var result = helpers.mergeIf(target, {a: 2, b: 'foo'});
author	Evert Timberg <evert.timberg+github@gmail.com>
	Sun, 18 Oct 2020 18:16:20 +0000 (14:16 -0400)
committer	GitHub <noreply@github.com>
	Sun, 18 Oct 2020 18:16:20 +0000 (21:16 +0300)
src/helpers/helpers.core.js		patch \| blob \| blame \| history
test/specs/helpers.core.tests.js		patch \| blob \| blame \| history