fix(security): Fixed GHSA-g974-hxvm-x689

postalsys · Sep 19, 2024 · 63e627c · 63e627c
1 parent a92527e
commit 63e627c
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 0 deletions.
diff --git a/lib/gettext.js b/lib/gettext.js
@@ -105,6 +105,26 @@ Gettext.prototype.warn = function (message) {
  * @param {Object} translations  An object of gettext-parser JSON shape
  */
 Gettext.prototype.addTranslations = function (locale, domain, translations) {
+    if (typeof locale !== 'string') {
+        this.warn('You called addTranslations() with an argument of type ' + typeof locale + '. The locale must be a string.');
+        return;
+    }
+
+    if (typeof locale !== 'string') {
+        this.warn('You called setLocale() with an argument of type ' + typeof locale + '. The locale must be a string.');
+        return;
+    }
+
+    if (locale in {}) {
+        this.warn('Can not use reserved key as locale');
+        return;
+    }
+
+    if (domain in {}) {
+        this.warn('Can not use reserved key as domain');
+        return;
+    }
+
     if (!this.catalogs[locale]) {
         this.catalogs[locale] = {};
     }
@@ -126,6 +146,11 @@ Gettext.prototype.setLocale = function (locale) {
         return;
     }
 
+    if (locale in {}) {
+        this.warn('Can not use reserved key as locale');
+        return;
+    }
+
     if (locale.trim() === '') {
         this.warn('You called setLocale() with an empty value, which makes little sense.');
     }
@@ -151,6 +176,11 @@ Gettext.prototype.setTextDomain = function (domain) {
         return;
     }
 
+    if (domain in {}) {
+        this.warn('Can not use reserved key as domain');
+        return;
+    }
+
     if (domain.trim() === '') {
         this.warn('You called setTextDomain() with an empty `domain` value.');
     }

diff --git a/test/gettext-test.js b/test/gettext-test.js
@@ -262,6 +262,11 @@ describe('Gettext', () => {
             expect(errorListener.callCount).to.equal(0);
         });
 
+        it('should emit an error event when adding a reserved key as locale', () => {
+            gt.addTranslations('__proto__', 'polluted', 'pwned');
+            expect(errorListener.callCount).to.equal(1);
+        });
+
         it('should emit an error event when a locale that has no translations is set', () => {
             gt.setLocale('et-EE');
             expect(errorListener.callCount).to.equal(1);