Skip to content

Commit

Permalink
fix: explicit "__proto__" guard;
Browse files Browse the repository at this point in the history 
- Closes #11
  • Loading branch information
@lukeed
lukeed committed Jan 13, 2020
1 parent 4e73d31 commit 200e8d1
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 1 deletion.
9 changes: 9 additions & 0 deletions src/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,17 @@ export default function klona(x) {
if (str === '[object Object]') {
tmp = {};
for (k in x) {
if (k === '__proto__') {
Object.defineProperty(tmp, k, {
value: klona(x[k]),
configurable: 1,
enumerable: 1,
writable: 1,
});
} else {
tmp[k] = klona(x[k]);
}
}
return tmp;
}

Expand Down
4 changes: 3 additions & 1 deletion test/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,16 +99,17 @@ test('constructor :: pollution', t => {
);

t.not(({})['a0'], true, 'Safe POJO');
t.not(new Object()['a0'], true, 'Safe Object');
t.not(input['a0'], true, 'Safe input');
t.not(output['a0'], true, 'Safe output');

t.end();
});


// @see https://snyk.io/vuln/SNYK-JS-LODASH-450202
test('prototype :: pollution', t => {
const payload = '{"__proto__":{"a0":true}}';

const input = JSON.parse(payload);
const output = klona(input);

Expand All @@ -118,6 +119,7 @@ test('prototype :: pollution', t => {
);

t.not(({})['a0'], true, 'Safe POJO');
t.not(new Object()['a0'], true, 'Safe Object');
t.not(input['a0'], true, 'Safe input');
t.not(output['a0'], true, 'Safe output');

Expand Down

0 comments on commit 200e8d1

Please sign in to comment.