Merge pull request from GHSA-5888-ffcr-r425

* fix prototype polution bug * update tests
flightcontrolhq · Feb 9, 2022 · 0d68cd5 · 0d68cd5
1 parent e0252a5
commit 0d68cd5
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 0 deletions.
diff --git a/src/accessDeep.ts b/src/accessDeep.ts
@@ -1,4 +1,5 @@
 import { isMap, isArray, isPlainObject, isSet } from './is';
+import { includes } from './util';
 
 const getNthKey = (value: Map<any, any> | Set<any>, n: number): any => {
   const keys = value.keys();
@@ -10,7 +11,21 @@ const getNthKey = (value: Map<any, any> | Set<any>, n: number): any => {
   return keys.next().value;
 };
 
+function validatePath(path: (string | number)[]) {
+  if (includes(path, '__proto__')) {
+    throw new Error('__proto__ is not allowed as a property');
+  }
+  if (includes(path, 'prototype')) {
+    throw new Error('prototype is not allowed as a property');
+  }
+  if (includes(path, 'constructor')) {
+    throw new Error('constructor is not allowed as a property');
+  }
+}
+
 export const getDeep = (object: object, path: (string | number)[]): object => {
+  validatePath(path);
+
   path.forEach(key => {
     object = (object as any)[key];
   });
@@ -23,6 +38,8 @@ export const setDeep = (
   path: (string | number)[],
   mapper: (v: any) => any
 ): any => {
+  validatePath(path);
+
   if (path.length === 0) {
     return mapper(object);
   }

diff --git a/src/index.test.ts b/src/index.test.ts
@@ -1000,3 +1000,63 @@ test('regression: `Object.create(null)` / object without prototype', () => {
 
   expect(parsed.date).toBeInstanceOf(Date);
 });
+
+test('prototype pollution - __proto__', () => {
+  expect(() => {
+    SuperJSON.parse(
+      JSON.stringify({
+        json: {
+          myValue: 1337,
+        },
+        meta: {
+          referentialEqualities: {
+            myValue: ['__proto__.x'],
+          },
+        },
+      })
+    );
+  }).toThrowErrorMatchingInlineSnapshot(
+    `"__proto__ is not allowed as a property"`
+  );
+  expect((Object.prototype as any).x).toBeUndefined();
+});
+
+test('prototype pollution - prototype', () => {
+  expect(() => {
+    SuperJSON.parse(
+      JSON.stringify({
+        json: {
+          myValue: 1337,
+        },
+        meta: {
+          referentialEqualities: {
+            myValue: ['prototype.x'],
+          },
+        },
+      })
+    );
+  }).toThrowErrorMatchingInlineSnapshot(
+    `"prototype is not allowed as a property"`
+  );
+});
+
+test('prototype pollution - constructor', () => {
+  expect(() => {
+    SuperJSON.parse(
+      JSON.stringify({
+        json: {
+          myValue: 1337,
+        },
+        meta: {
+          referentialEqualities: {
+            myValue: ['constructor.prototype.x'],
+          },
+        },
+      })
+    );
+  }).toThrowErrorMatchingInlineSnapshot(
+    `"prototype is not allowed as a property"`
+  );
+
+  expect((Object.prototype as any).x).toBeUndefined();
+});
diff --git a/src/is.ts b/src/is.ts
@@ -11,6 +11,7 @@ export const isPlainObject = (
 ): payload is { [key: string]: any } => {
   if (getType(payload) !== 'Object') return false;
   if (Object.getPrototypeOf(payload) === null) return true;
+  if (payload === Object.prototype) return false;
   return (
     payload.constructor === Object &&
     Object.getPrototypeOf(payload) === Object.prototype