do not extend __proto__

Feiyang1 · Feiyang1 · commit bff427533bc4 · 2020-10-26T17:42:51.000-07:00
diff --git a/packages/util/src/deepCopy.ts b/packages/util/src/deepCopy.ts
@@ -33,6 +33,8 @@ export function deepCopy<T>(value: T): T {
  *
  * Note that the target can be a function, in which case the properties in
  * the source Object are copied onto it as static properties of the Function.
+ *
+ * Note: we don't merge __proto__ to prevent prototype pollution
  */
 export function deepExtend(target: unknown, source: unknown): unknown {
   if (!(source instanceof Object)) {
@@ -62,14 +64,19 @@ export function deepExtend(target: unknown, source: unknown): unknown {
   }
 
   for (const prop in source) {
-    if (!source.hasOwnProperty(prop)) {
+    // use isValidKey to guard against prototype pollution. See https://snyk.io/vuln/SNYK-JS-LODASH-450202
+    if (!source.hasOwnProperty(prop) || !isValidKey(prop)) {
       continue;
     }
-    (target as { [key: string]: unknown })[prop] = deepExtend(
-      (target as { [key: string]: unknown })[prop],
-      (source as { [key: string]: unknown })[prop]
+    (target as Record<string, unknown>)[prop] = deepExtend(
+      (target as Record<string, unknown>)[prop],
+      (source as Record<string, unknown>)[prop]
     );
   }
 
   return target;
 }
+
+function isValidKey(key: string): boolean {
+  return key !== '__proto__';
+}
diff --git a/packages/util/test/deepCopy.test.ts b/packages/util/test/deepCopy.test.ts
@@ -14,14 +14,14 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-import { assert } from 'chai';
+import { assert, expect } from 'chai';
 import { deepCopy, deepExtend } from '../src/deepCopy';
 
 describe('deepCopy()', () => {
   it('Scalars', () => {
-    assert.strictEqual(deepCopy(true), true);
-    assert.strictEqual(deepCopy(123), 123);
-    assert.strictEqual(deepCopy('abc'), 'abc');
+    expect(deepCopy(true)).to.equal(true);
+    expect(deepCopy(123)).to.equal(123);
+    expect(deepCopy('abc')).to.equal('abc');
   });
 
   it('Date', () => {
@@ -103,4 +103,16 @@ describe('deepExtend', () => {
     assert.deepEqual({ a: source }, target);
     assert.strictEqual(source, target.a);
   });
+
+  it.only('does not extend property __proto__', () => {
+    const src = JSON.parse('{ "__proto__": { "polluted": "polluted" } }');
+    const a = {};
+    deepExtend(a, src);
+
+    // @ts-expect-error
+    expect(a.__proto__).to.equal(Object.prototype);
+
+    // @ts-expect-error
+    expect(a.polluted).to.be.undefined;
+  });
 });
