From 78b3411919540d7d55737ac6e6f92d4a890ae3b8 Mon Sep 17 00:00:00 2001 From: melloware Date: Mon, 15 Apr 2024 08:09:45 -0400 Subject: [PATCH] Fix #6393: Locale prevent prototype pollution --- components/lib/api/Locale.js | 24 ++++++++++++++++++++++++ components/lib/hooks/useLocale.js | 20 ++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/components/lib/api/Locale.js b/components/lib/api/Locale.js index 7939b25a36..6891f02e0a 100644 --- a/components/lib/api/Locale.js +++ b/components/lib/api/Locale.js @@ -137,20 +137,36 @@ function locale(locale) { } function addLocale(locale, options) { + if (locale.includes('__proto__') || locale.includes('prototype')) { + throw new Error('Unsafe ariaKey detected'); + } + locales[locale] = { ...locales.en, ...options }; } function updateLocaleOption(key, value, locale) { + if (key.includes('__proto__') || key.includes('prototype')) { + throw new Error('Unsafe key detected'); + } + localeOptions(locale)[key] = value; } function updateLocaleOptions(options, locale) { + if (locale.includes('__proto__') || locale.includes('prototype')) { + throw new Error('Unsafe ariaKey detected'); + } + const _locale = locale || PrimeReact.locale; locales[_locale] = { ...locales[_locale], ...options }; } function localeOption(key, locale) { + if (key.includes('__proto__') || key.includes('prototype')) { + throw new Error('Unsafe key detected'); + } + const _locale = locale || PrimeReact.locale; try { @@ -173,6 +189,10 @@ function localeOption(key, locale) { * @returns the ARIA label with replaced values */ function ariaLabel(ariaKey, options) { + if (ariaKey.includes('__proto__') || ariaKey.includes('prototype')) { + throw new Error('Unsafe ariaKey detected'); + } + const _locale = PrimeReact.locale; try { @@ -193,6 +213,10 @@ function ariaLabel(ariaKey, options) { } function localeOptions(locale) { + if (locale.includes('__proto__') || locale.includes('prototype')) { + throw new Error('Unsafe ariaKey detected'); + } + const _locale = locale || PrimeReact.locale; return locales[_locale]; diff --git a/components/lib/hooks/useLocale.js b/components/lib/hooks/useLocale.js index 2aa33505d9..7e115220b1 100644 --- a/components/lib/hooks/useLocale.js +++ b/components/lib/hooks/useLocale.js @@ -146,20 +146,34 @@ export const useLocale = () => { }; const addLocale = (locale, options) => { + if (locale.includes('__proto__') || locale.includes('prototype')) { + throw new Error('Unsafe ariaKey detected'); + } locales[locale] = { ...locales['en'], ...options }; }; const updateLocaleOption = (key, value, locale) => { + if (key.includes('__proto__') || key.includes('prototype')) { + throw new Error('Unsafe key detected'); + } + localeOptions(locale)[key] = value; }; const updateLocaleOptions = (options, locale) => { + if (locale.includes('__proto__') || locale.includes('prototype')) { + throw new Error('Unsafe ariaKey detected'); + } const _locale = locale || (context && context.locale) || PrimeReact.locale; locales[_locale] = { ...locales[_locale], ...options }; }; const localeOption = (key, locale) => { + if (key.includes('__proto__') || key.includes('prototype')) { + throw new Error('Unsafe key detected'); + } + const _locale = locale || (context && context.locale) || PrimeReact.locale; try { @@ -182,6 +196,9 @@ export const useLocale = () => { * @returns the ARIA label with replaced values */ const ariaLabel = (ariaKey, options) => { + if (ariaKey.includes('__proto__') || ariaKey.includes('prototype')) { + throw new Error('Unsafe ariaKey detected'); + } const _locale = (context && context.locale) || PrimeReact.locale; try { @@ -202,6 +219,9 @@ export const useLocale = () => { }; const localeOptions = (locale) => { + if (locale.includes('__proto__') || locale.includes('prototype')) { + throw new Error('Unsafe ariaKey detected'); + } const _locale = locale || (context && context.locale) || PrimeReact.locale; return locales[_locale];