From: Evert Timberg <evert.timberg+github@gmail.com>
Date: Sun, 18 Oct 2020 18:16:20 +0000 (-0400)
Subject: Block incorrect keys in merge code to prevent prototype pollution (#7919)
X-Git-Tag: v3.0.0-beta.5~29
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ac68593873693877f638f248176e79f4fd63eabd;p=thirdparty%2FChart.js.git

Block incorrect keys in merge code to prevent prototype pollution (#7919)

* Port fix from v2

* Port test

* Test both merge and mergeIf
---

diff --git a/src/helpers/helpers.core.js b/src/helpers/helpers.core.js
index ec936deb5..89bf473bd 100644
--- a/src/helpers/helpers.core.js
+++ b/src/helpers/helpers.core.js
@@ -172,12 +172,20 @@ export function clone(source) {
 	return source;
 }
 
+function isValidKey(key) {
+	return ['__proto__', 'prototype', 'constructor'].indexOf(key) === -1;
+}
+
 /**
  * The default merger when Chart.helpers.merge is called without merger option.
  * Note(SB): also used by mergeConfig and mergeScaleConfig as fallback.
  * @private
  */
 export function _merger(key, target, source, options) {
+	if (!isValidKey(key)) {
+		return;
+	}
+
 	const tval = target[key];
 	const sval = source[key];
 
@@ -241,6 +249,10 @@ export function mergeIf(target, source) {
  * @private
  */
 export function _mergerIf(key, target, source) {
+	if (!isValidKey(key)) {
+		return;
+	}
+
 	const tval = target[key];
 	const sval = source[key];
 
diff --git a/test/specs/helpers.core.tests.js b/test/specs/helpers.core.tests.js
index 23a0df539..0f38613f1 100644
--- a/test/specs/helpers.core.tests.js
+++ b/test/specs/helpers.core.tests.js
@@ -272,6 +272,11 @@ describe('Chart.helpers.core', function() {
 	});
 
 	describe('merge', function() {
+		it('should not allow prototype pollution', function() {
+			var test = helpers.merge({}, JSON.parse('{"__proto__":{"polluted": true}}'));
+			expect(test.prototype).toBeUndefined();
+			expect(Object.prototype.polluted).toBeUndefined();
+		});
 		it('should update target and return it', function() {
 			var target = {a: 1};
 			var result = helpers.merge(target, {a: 2, b: 'foo'});
@@ -319,6 +324,11 @@ describe('Chart.helpers.core', function() {
 	});
 
 	describe('mergeIf', function() {
+		it('should not allow prototype pollution', function() {
+			var test = helpers.mergeIf({}, JSON.parse('{"__proto__":{"polluted": true}}'));
+			expect(test.prototype).toBeUndefined();
+			expect(Object.prototype.polluted).toBeUndefined();
+		});
 		it('should update target and return it', function() {
 			var target = {a: 1};
 			var result = helpers.mergeIf(target, {a: 2, b: 'foo'});