Skip to content

Commit

Permalink
Fix #6393: Locale prevent prototype pollution (#6395)
Browse files Browse the repository at this point in the history
  • Loading branch information
melloware authored Apr 15, 2024
1 parent ca6ec19 commit 3fb2bf1
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 0 deletions.
24 changes: 24 additions & 0 deletions components/lib/api/Locale.js
Original file line number Diff line number Diff line change
Expand Up @@ -137,20 +137,36 @@ function locale(locale) {
}

function addLocale(locale, options) {
if (locale.includes('__proto__') || locale.includes('prototype')) {
throw new Error('Unsafe locale detected');
}

locales[locale] = { ...locales.en, ...options };
}

function updateLocaleOption(key, value, locale) {
if (key.includes('__proto__') || key.includes('prototype')) {
throw new Error('Unsafe key detected');
}

localeOptions(locale)[key] = value;
}

function updateLocaleOptions(options, locale) {
if (locale.includes('__proto__') || locale.includes('prototype')) {
throw new Error('Unsafe locale detected');
}

const _locale = locale || PrimeReact.locale;

locales[_locale] = { ...locales[_locale], ...options };
}

function localeOption(key, locale) {
if (key.includes('__proto__') || key.includes('prototype')) {
throw new Error('Unsafe key detected');
}

const _locale = locale || PrimeReact.locale;

try {
Expand All @@ -173,6 +189,10 @@ function localeOption(key, locale) {
* @returns the ARIA label with replaced values
*/
function ariaLabel(ariaKey, options) {
if (ariaKey.includes('__proto__') || ariaKey.includes('prototype')) {
throw new Error('Unsafe ariaKey detected');
}

const _locale = PrimeReact.locale;

try {
Expand All @@ -195,6 +215,10 @@ function ariaLabel(ariaKey, options) {
function localeOptions(locale) {
const _locale = locale || PrimeReact.locale;

if (_locale.includes('__proto__') || _locale.includes('prototype')) {
throw new Error('Unsafe locale detected');
}

return locales[_locale];
}

Expand Down
20 changes: 20 additions & 0 deletions components/lib/hooks/useLocale.js
Original file line number Diff line number Diff line change
Expand Up @@ -146,20 +146,34 @@ export const useLocale = () => {
};

const addLocale = (locale, options) => {
if (locale.includes('__proto__') || locale.includes('prototype')) {
throw new Error('Unsafe locale detected');
}
locales[locale] = { ...locales['en'], ...options };
};

const updateLocaleOption = (key, value, locale) => {
if (key.includes('__proto__') || key.includes('prototype')) {
throw new Error('Unsafe key detected');
}

localeOptions(locale)[key] = value;
};

const updateLocaleOptions = (options, locale) => {
if (locale.includes('__proto__') || locale.includes('prototype')) {
throw new Error('Unsafe locale detected');
}
const _locale = locale || (context && context.locale) || PrimeReact.locale;

locales[_locale] = { ...locales[_locale], ...options };
};

const localeOption = (key, locale) => {
if (key.includes('__proto__') || key.includes('prototype')) {
throw new Error('Unsafe key detected');
}

const _locale = locale || (context && context.locale) || PrimeReact.locale;

try {
Expand All @@ -182,6 +196,9 @@ export const useLocale = () => {
* @returns the ARIA label with replaced values
*/
const ariaLabel = (ariaKey, options) => {
if (ariaKey.includes('__proto__') || ariaKey.includes('prototype')) {
throw new Error('Unsafe ariaKey detected');
}
const _locale = (context && context.locale) || PrimeReact.locale;

try {
Expand All @@ -203,6 +220,9 @@ export const useLocale = () => {

const localeOptions = (locale) => {
const _locale = locale || (context && context.locale) || PrimeReact.locale;
if (_locale.includes('__proto__') || _locale.includes('prototype')) {
throw new Error('Unsafe locale detected');
}

return locales[_locale];
};
Expand Down

0 comments on commit 3fb2bf1

Please sign in to comment.