Skip to content

Commit

Permalink
fix(security): fixed formToJSON prototype pollution vulnerability; (#…
Browse files Browse the repository at this point in the history 
…6167)
  • Loading branch information
@DigitalBrainJS
DigitalBrainJS committed Jan 3, 2024
1 parent 75af1cd commit 3c0c11c
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 0 deletions.
3 changes: 3 additions & 0 deletions lib/helpers/formDataToJSON.js
View file
Expand Up @@ -49,6 +49,9 @@ function arrayToObject(arr) {
function formDataToJSON(formData) {
function buildPath(path, value, target, index) {
let name = path[index++];

if (name === '__proto__') return true;

const isNumericKey = Number.isFinite(+name);
const isLast = index >= path.length;
name = !name && utils.isArray(target) ? target.length : name;
Expand Down
21 changes: 21 additions & 0 deletions test/specs/helpers/formDataToJSON.spec.js
View file
Expand Up @@ -47,4 +47,25 @@ describe('formDataToJSON', function () {
foo: ['1', '2']
});
});

it('should resist prototype pollution CVE', () => {
const formData = new FormData();

formData.append('foo[0]', '1');
formData.append('foo[1]', '2');
formData.append('__proto__.x', 'hack');
formData.append('constructor.prototype.y', 'value');

expect(formDataToJSON(formData)).toEqual({
foo: ['1', '2'],
constructor: {
prototype: {

This comment has been minimized.

Sign in to view

Copy link
@prabhu

prabhu Feb 25, 2024

Why do we need a situation where the user-provided input is allowed to set the constructor.prototype? Why is the fix only checking for __proto__ when there are other known patterns for prototype pollution?
y: 'value'
}
}
});

expect({}.x).toEqual(undefined);
expect({}.y).toEqual(undefined);
});
});

0 comments on commit 3c0c11c

Please sign in to comment.