Don't allow __proto__ property to be used for schema default/coerce, f…

…ixes #84
kriszyp · Oct 9, 2021 · 22f1461 · 22f1461
1 parent c52a27c
commit 22f1461
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -1 +1,3 @@
 node_modules
+yarn.lock
+.vscode
diff --git a/lib/validate.js b/lib/validate.js
@@ -207,7 +207,7 @@ var validate = exports._validate = function(/*Any*/instance,/*Object*/schema,/*O
 			}
 
 			for(var i in objTypeDef){ 
-				if(objTypeDef.hasOwnProperty(i)){
+				if(objTypeDef.hasOwnProperty(i) && i != '__proto__'){
 					var value = instance[i];
 					// skip _not_ specified properties
 					if (value === undefined && options.existingOnly) continue;

diff --git a/test/tests.js b/test/tests.js
@@ -92,4 +92,30 @@ var suite = vows.describe('JSON Schema').addBatch({
     'Json-Ref self-validates': assertSelfValidates('json-ref'),
     'Json-Ref/Hyper': assertValidates('json-ref', 'hyper-schema'),
     'Json-Ref/Core': assertValidates('json-ref', 'schema')*/
+    prototypePollution: function() {
+        console.log('testing')
+        const instance = JSON.parse(`
+        {
+        "$schema":{
+            "type": "object",
+            "properties":{
+            "__proto__": {
+                "type": "object",
+                
+                "properties":{
+                "polluted": {
+                    "type": "string",
+                    "default": "polluted"
+                }
+                }
+            }
+            },
+            "__proto__": {}
+        }
+        }`);
+
+        const a = {};
+        validate(instance);
+        assert.equal(a.polluted, undefined);
+    }
 }).export(module);