From 2bec9986b37981261ea51b02782092e2ca94bb2a Mon Sep 17 00:00:00 2001 From: Mojtaba Samimi Date: Fri, 11 Aug 2023 10:31:35 -0400 Subject: [PATCH 1/2] guard against polluting __proto__ in nestedProperty --- src/lib/nested_property.js | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/lib/nested_property.js b/src/lib/nested_property.js index f54c2951abe..a057e732bee 100644 --- a/src/lib/nested_property.js +++ b/src/lib/nested_property.js @@ -24,13 +24,20 @@ module.exports = function nestedProperty(container, propStr) { throw 'bad property string'; } - var j = 0; var propParts = propStr.split('.'); var indexed; var indices; - var i; + var i, j; + + for(j = 0; j < propParts.length; j++) { + // guard against polluting __proto__ and other internals + if(String(propParts[j]).slice(0, 2) === '__') { + throw 'bad property string'; + } + } // check for parts of the nesting hierarchy that are numbers (ie array elements) + j = 0; while(j < propParts.length) { // look for non-bracket chars, then any number of [##] blocks indexed = String(propParts[j]).match(/^([^\[\]]*)((\[\-?[0-9]*\])+)$/); From 5cfbd6e335ee42560d42aaef3a0732a8634cffd3 Mon Sep 17 00:00:00 2001 From: Mojtaba Samimi Date: Fri, 11 Aug 2023 11:04:55 -0400 Subject: [PATCH 2/2] add test --- test/jasmine/tests/lib_test.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test/jasmine/tests/lib_test.js b/test/jasmine/tests/lib_test.js index fcc24c51ad0..88b144d2c24 100644 --- a/test/jasmine/tests/lib_test.js +++ b/test/jasmine/tests/lib_test.js @@ -468,7 +468,9 @@ describe('Test lib.js:', function() { it('should fail on a bad property string', function() { var badStr = [ - [], {}, false, undefined, null, NaN, Infinity + [], {}, false, undefined, null, NaN, Infinity, + // should guard against prototype pollution + 'x.__proto__.polluted', 'x.y.__proto__.polluted' ]; function badProp(i) {