From 20e10a897c2a319740b6f2509e432ad7cdfa15af Mon Sep 17 00:00:00 2001 From: Evert Timberg Date: Sun, 18 Oct 2020 13:18:39 -0400 Subject: [PATCH 1/2] When objects are merged together, the target prototype can be polluted. This change blocks updates to the `__proto__` key during config merge --- src/helpers/helpers.core.js | 6 ++++++ test/specs/helpers.core.tests.js | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/src/helpers/helpers.core.js b/src/helpers/helpers.core.js index 6cf28c00d41..852119fe824 100644 --- a/src/helpers/helpers.core.js +++ b/src/helpers/helpers.core.js @@ -196,6 +196,12 @@ var helpers = { * @private */ _merger: function(key, target, source, options) { + if (['__proto__', 'prototype', 'constructor'].indexOf(key) !== -1) { + // We want to ensure we do not copy prototypes over + // as this can pollute global namespaces + return; + } + var tval = target[key]; var sval = source[key]; diff --git a/test/specs/helpers.core.tests.js b/test/specs/helpers.core.tests.js index 1f524089a21..d145bb21d0e 100644 --- a/test/specs/helpers.core.tests.js +++ b/test/specs/helpers.core.tests.js @@ -323,6 +323,11 @@ describe('Chart.helpers.core', function() { }); describe('merge', function() { + it('should not allow prototype pollution', function() { + var test = helpers.merge({}, JSON.parse('{"__proto__":{"polluted": true}}')); + expect(test.prototype).toBeUndefined(); + expect(Object.prototype.polluted).toBeUndefined(); + }); it('should update target and return it', function() { var target = {a: 1}; var result = helpers.merge(target, {a: 2, b: 'foo'}); From 889eb161a440a0268b859c34e9c12f9a12446e52 Mon Sep 17 00:00:00 2001 From: Evert Timberg Date: Sun, 18 Oct 2020 13:38:24 -0400 Subject: [PATCH 2/2] Block bad keys in _mergerIf --- src/helpers/helpers.core.js | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/helpers/helpers.core.js b/src/helpers/helpers.core.js index 852119fe824..c975cb0fb66 100644 --- a/src/helpers/helpers.core.js +++ b/src/helpers/helpers.core.js @@ -1,5 +1,9 @@ 'use strict'; +function isValidKey(key) { + return ['__proto__', 'prototype', 'constructor'].indexOf(key) === -1; +} + /** * @namespace Chart.helpers */ @@ -196,7 +200,7 @@ var helpers = { * @private */ _merger: function(key, target, source, options) { - if (['__proto__', 'prototype', 'constructor'].indexOf(key) !== -1) { + if (!isValidKey(key)) { // We want to ensure we do not copy prototypes over // as this can pollute global namespaces return; @@ -217,6 +221,12 @@ var helpers = { * @private */ _mergerIf: function(key, target, source) { + if (!isValidKey(key)) { + // We want to ensure we do not copy prototypes over + // as this can pollute global namespaces + return; + } + var tval = target[key]; var sval = source[key];