fix: protect against prototype pollution

RebeccaStevens · Mar 31, 2022 · d637db7 · d637db7
1 parent 7436788
commit d637db7
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/src/deepmerge.ts b/src/deepmerge.ts
@@ -438,7 +438,16 @@ function defaultMergeRecords<
       continue;
     }
 
-    result[key] = propertyResult;
+    if (key === "__proto__") {
+      Object.defineProperty(result, key, {
+        value: propertyResult,
+        configurable: true,
+        enumerable: true,
+        writable: true,
+      });
+    } else {
+      result[key] = propertyResult;
+    }
   }
 
   /* eslint-enable functional/no-loop-statement, functional/no-conditional-statement */

diff --git a/tests/deepmerge.test.ts b/tests/deepmerge.test.ts
@@ -539,3 +539,19 @@ test(`merging objects with null prototype`, (t) => {
 
   t.deepEqual(merged, expected);
 });
+
+test("prototype pollution", (t) => {
+  const payload = '{"__proto__":{"a0":true}}';
+
+  const x: any = JSON.parse(payload);
+  const y: any = {};
+
+  const merged: any = deepmerge(x, y);
+
+  t.deepEqual(JSON.stringify(merged), payload);
+
+  t.not(({} as any).a0, true, "Safe POJO");
+  t.not(x.a0, true, "Safe x input");
+  t.not(y.a0, true, "Safe y input");
+  t.not(merged.a0, true, "Safe output");
+});