Skip to content

Commit

Permalink
fix(deepMerge): prototype pollution
Browse files Browse the repository at this point in the history
  • Loading branch information
antfu committed May 30, 2023
1 parent 1106872 commit 7f8b16c
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 0 deletions.
12 changes: 12 additions & 0 deletions src/object.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -51,4 +51,16 @@ describe('deepMerge', () => {
const obj2 = { a: ['C'], b: ['D'] }
expect(deepMerge({}, obj1, obj2)).toEqual({ a: ['C'], b: ['D'] })
})

it('prototype pollution 1', () => {
const obj = {} as any
const obj2 = {} as any
const payload = JSON.parse('{"__proto__":{"polluted":"Polluted!"}}')

expect(obj.polluted).toBeUndefined()
expect(obj2.polluted).toBeUndefined()
deepMerge(obj, payload)
expect(obj.polluted).toBeUndefined()
expect(obj2.polluted).toBeUndefined()
})
})
3 changes: 3 additions & 0 deletions src/object.ts
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,9 @@ export function deepMerge<T extends object = object, S extends object = T>(targe

if (isMergableObject(target) && isMergableObject(source)) {
objectKeys(source).forEach((key) => {
if (key === '__proto__' || key === 'constructor' || key === 'prototype')
return

// @ts-expect-error
if (isMergableObject(source[key])) {
// @ts-expect-error
Expand Down

0 comments on commit 7f8b16c

Please sign in to comment.