fix: Avoid prototype polution when creating a new context

prantlf · Feb 11, 2022 · 3e9eb74 · 3e9eb74
1 parent 9ddebe6
commit 3e9eb74
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/require.js b/require.js
@@ -1262,6 +1262,8 @@ var requirejs, require, define;
             context.defQueueMap = {};
         }
 
+        var denyProps = ["__proto__", "constructor", "prototype"];
+
         context = {
             config: config,
             contextName: contextName,
@@ -1306,6 +1308,7 @@ var requirejs, require, define;
                     };
 
                 eachProp(cfg, function (value, prop) {
+                    if (denyProps.indexOf(prop) >= 0) return;
                     if (objs[prop]) {
                         if (!config[prop]) {
                             config[prop] = {};