Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Security Fix for Prototype Pollution
Fix prototype pollution when path components are not strings
  • Loading branch information
ready-research authored and koskimas committed Sep 15, 2021
1 parent 260b284 commit 46b842a
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion lib/utils/objectUtils.js
Expand Up @@ -225,6 +225,9 @@ function set(obj, path, value) {

for (let i = 0, l = path.length - 1; i < l; ++i) {
const key = path[i];
if (key === '__proto__') {
return false;
}
let child = obj[key];

if (!isObject(child)) {
Expand Down Expand Up @@ -252,7 +255,10 @@ function set(obj, path, value) {
function zipObject(keys, values) {
const out = {};

for (let i = 0, l = keys.length; i < l; ++i) {
for (let i = 0, l = keys.length; i < l; ++i) {
if (keys[i] === '__proto__') {
return false;
}
out[keys[i]] = values[i];
}

Expand Down

0 comments on commit 46b842a

Please sign in to comment.