FIX reported security problem with the query builders mquery api

pubkey · Dec 12, 2020 · b72ea77 · b72ea77
1 parent 5e33746
commit b72ea77
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ Bugfixes:
 Other:
   - Added `name` identifier to `RxPlugin`
   - Throw error when `dev-mode` plugin is added multiple times because there is no way that this was done intentional likely the developer has mixed core and default usage of RxDB.
+  - Fix reported security problem with the query builders mquery api.
 
 ### 9.10.1 (23 November 2020)
 

diff --git a/src/plugins/query-builder/mquery/mquery-utils.ts b/src/plugins/query-builder/mquery/mquery-utils.ts
@@ -3,12 +3,21 @@
  * @link https://github.com/aheckmann/mquery/blob/master/lib/utils.js
  */
 
+
+/**
+ * @link https://github.com/aheckmann/mquery/commit/792e69fd0a7281a0300be5cade5a6d7c1d468ad4
+ */
+const SPECIAL_PROPERTIES = ['__proto__', 'constructor', 'prototype'];
+
 /**
  * Merges 'from' into 'to' without overwriting existing properties.
  */
 export function merge(to: any, from: any): any {
     Object.keys(from)
         .forEach(key => {
+            if (SPECIAL_PROPERTIES.includes(key)) {
+                return;
+            }
             if (typeof to[key] === 'undefined') {
                 to[key] = from[key];
             } else {