Skip to content

Commit

Permalink
fix(security): Follow up on CVE-2020-28477 where `path: [["__proto__"…
Browse files Browse the repository at this point in the history
…], "x"]` could still pollute the prototype
  • Loading branch information
mweststrate committed Aug 31, 2021
1 parent 2e0aa95 commit fa671e5
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 1 deletion.
18 changes: 18 additions & 0 deletions __tests__/patch.js
Original file line number Diff line number Diff line change
Expand Up @@ -1258,6 +1258,24 @@ test("maps can store __proto__, prototype and constructor props", () => {
expect(obj.polluted).toBe(undefined)
})

test("CVE-2020-28477 (https://snyk.io/vuln/SNYK-JS-IMMER-1019369) follow up", () => {
const obj = {}

// @ts-ignore
expect(obj.polluted).toBe(undefined)
expect(() => {
applyPatches({}, [
{op: "add", path: [["__proto__"], "polluted"], value: "yes"}
])
}).toThrow(
isProd
? "24"
: "Patching reserved attributes like __proto__, prototype and constructor is not allowed"
)
// @ts-ignore
expect(obj.polluted).toBe(undefined)
})

test("#648 assigning object to itself should not change patches", () => {
const input = {
obj: {
Expand Down
2 changes: 1 addition & 1 deletion src/plugins/patches.ts
Original file line number Diff line number Diff line change
Expand Up @@ -207,7 +207,7 @@ export function enablePatches() {
let base: any = draft
for (let i = 0; i < path.length - 1; i++) {
const parentType = getArchtype(base)
const p = path[i]
const p = "" + path[i]
// See #738, avoid prototype pollution
if (
(parentType === Archtype.Object || parentType === Archtype.Array) &&
Expand Down

1 comment on commit fa671e5

@childrentime
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mweststrate const p = "" + path[i] will cause issue #952, Caused the map to use a number as a key error.

Please sign in to comment.