Fix #6393: Locale prevent prototype pollution

components/lib/api/Locale.js

@@ -137,20 +137,36 @@ function locale(locale) {
 }
 
 function addLocale(locale, options) {
+    if (locale.includes('__proto__') || locale.includes('prototype')) {
+        throw new Error('Unsafe locale detected');
+    }
+
     locales[locale] = { ...locales.en, ...options };
 }
 
 function updateLocaleOption(key, value, locale) {
+    if (key.includes('__proto__') || key.includes('prototype')) {
+        throw new Error('Unsafe key detected');
+    }
+
     localeOptions(locale)[key] = value;
 }
 
 function updateLocaleOptions(options, locale) {
+    if (locale.includes('__proto__') || locale.includes('prototype')) {
+        throw new Error('Unsafe locale detected');
+    }
+
     const _locale = locale || PrimeReact.locale;
 
     locales[_locale] = { ...locales[_locale], ...options };
 }
 
 function localeOption(key, locale) {
+    if (key.includes('__proto__') || key.includes('prototype')) {
+        throw new Error('Unsafe key detected');
+    }
+
     const _locale = locale || PrimeReact.locale;
 
     try {
@@ -173,6 +189,10 @@ function localeOption(key, locale) {
  * @returns the ARIA label with replaced values
  */
 function ariaLabel(ariaKey, options) {
+    if (ariaKey.includes('__proto__') || ariaKey.includes('prototype')) {
+        throw new Error('Unsafe ariaKey detected');
+    }
+
     const _locale = PrimeReact.locale;
 
     try {
@@ -195,6 +215,10 @@ function ariaLabel(ariaKey, options) {
 function localeOptions(locale) {
     const _locale = locale || PrimeReact.locale;
 
+    if (_locale.includes('__proto__') || _locale.includes('prototype')) {
+        throw new Error('Unsafe locale detected');
+    }
+
     return locales[_locale];
 }
 

components/lib/hooks/useLocale.js

@@ -146,20 +146,34 @@ export const useLocale = () => {
     };
 
     const addLocale = (locale, options) => {
+        if (locale.includes('__proto__') || locale.includes('prototype')) {
+            throw new Error('Unsafe locale detected');
+        }
         locales[locale] = { ...locales['en'], ...options };
     };
 
     const updateLocaleOption = (key, value, locale) => {
+        if (key.includes('__proto__') || key.includes('prototype')) {
+            throw new Error('Unsafe key detected');
+        }
+
         localeOptions(locale)[key] = value;
     };
 
     const updateLocaleOptions = (options, locale) => {
+        if (locale.includes('__proto__') || locale.includes('prototype')) {
+            throw new Error('Unsafe locale detected');
+        }
         const _locale = locale || (context && context.locale) || PrimeReact.locale;
 
         locales[_locale] = { ...locales[_locale], ...options };
     };
 
     const localeOption = (key, locale) => {
+        if (key.includes('__proto__') || key.includes('prototype')) {
+            throw new Error('Unsafe key detected');
+        }
+
         const _locale = locale || (context && context.locale) || PrimeReact.locale;
 
         try {
@@ -182,6 +196,9 @@ export const useLocale = () => {
      * @returns the ARIA label with replaced values
      */
     const ariaLabel = (ariaKey, options) => {
+        if (ariaKey.includes('__proto__') || ariaKey.includes('prototype')) {
+            throw new Error('Unsafe ariaKey detected');
+        }
         const _locale = (context && context.locale) || PrimeReact.locale;
 
         try {
@@ -203,6 +220,9 @@ export const useLocale = () => {
 
     const localeOptions = (locale) => {
         const _locale = locale || (context && context.locale) || PrimeReact.locale;
+        if (_locale.includes('__proto__') || _locale.includes('prototype')) {
+            throw new Error('Unsafe locale detected');
+        }
 
         return locales[_locale];
     };