From ae90837c037028926716ed2f81eac06b42851721 Mon Sep 17 00:00:00 2001 From: Danny Banks Date: Mon, 1 Mar 2021 16:07:46 -0800 Subject: [PATCH] fix(extend): remove prototype pollution --- __tests__/extend.test.js | 9 +++++++++ lib/utils/deepExtend.js | 2 ++ 2 files changed, 11 insertions(+) diff --git a/__tests__/extend.test.js b/__tests__/extend.test.js index 1c50bd6e8..30693f7c6 100644 --- a/__tests__/extend.test.js +++ b/__tests__/extend.test.js @@ -245,4 +245,13 @@ describe('extend', () => { expect(StyleDictionary3.foo).toBe('boo'); expect(StyleDictionary).not.toHaveProperty('foo'); }); + + it(`should not pollute the prototype`, () => { + const obj = {}; + let opts = JSON.parse('{"__proto__":{"polluted":"yes"}}'); + console.log("Before : " + obj.polluted); + StyleDictionary.extend(opts); + console.log("After : " + obj.polluted); + expect(obj.polluted).toBeUndefined(); + }); }); diff --git a/lib/utils/deepExtend.js b/lib/utils/deepExtend.js index 6f7555227..9c81bc10e 100644 --- a/lib/utils/deepExtend.js +++ b/lib/utils/deepExtend.js @@ -44,6 +44,8 @@ function deepExtend(objects, collision, path) { for (name in options) { if (!options.hasOwnProperty(name)) continue; + if (name === '__proto__') + continue; src = target[name]; copy = options[name];