When objects are merged together, the target prototype can be polluted. (#7918)

* When objects are merged together, the target prototype can be polluted.

This change blocks updates to the `__proto__` key during config merge

diff --git a/src/helpers/helpers.core.js b/src/helpers/helpers.core.js
index 6cf28c00d416beff59f508b3ed9f37932da4a35f..c975cb0fb669ee066713f5ceef99faaa9de6da69 100644 (file)
--- a/src/helpers/helpers.core.js
+++ b/src/helpers/helpers.core.js
@@ -1,5 +1,9 @@
 'use strict';
 
+function isValidKey(key) {
+       return ['__proto__', 'prototype', 'constructor'].indexOf(key) === -1;
+}
+
 /**
  * @namespace Chart.helpers
  */
@@ -196,6 +200,12 @@ var helpers = {
         * @private
         */
        _merger: function(key, target, source, options) {
+               if (!isValidKey(key)) {
+                       // We want to ensure we do not copy prototypes over
+                       // as this can pollute global namespaces
+                       return;
+               }
+
                var tval = target[key];
                var sval = source[key];
 
@@ -211,6 +221,12 @@ var helpers = {
         * @private
         */
        _mergerIf: function(key, target, source) {
+               if (!isValidKey(key)) {
+                       // We want to ensure we do not copy prototypes over
+                       // as this can pollute global namespaces
+                       return;
+               }
+
                var tval = target[key];
                var sval = source[key];
 

diff --git a/test/specs/helpers.core.tests.js b/test/specs/helpers.core.tests.js
index 1f524089a216fd79fdeb552311a2d36004d32074..d145bb21d0e8a05badf5dbf36a71ba7e4aa15e11 100644 (file)
--- a/test/specs/helpers.core.tests.js
+++ b/test/specs/helpers.core.tests.js
@@ -323,6 +323,11 @@ describe('Chart.helpers.core', function() {
        });
 
        describe('merge', function() {
+               it('should not allow prototype pollution', function() {
+                       var test = helpers.merge({}, JSON.parse('{"__proto__":{"polluted": true}}'));
+                       expect(test.prototype).toBeUndefined();
+                       expect(Object.prototype.polluted).toBeUndefined();
+               });
                it('should update target and return it', function() {
                        var target = {a: 1};
                        var result = helpers.merge(target, {a: 2, b: 'foo'});