Skip to content

Commit

Permalink
[cherry-pick][utils] Fix GitHub-reported prototype pollution vulnerab…
Browse files Browse the repository at this point in the history
…ility in `deepmerge` (#41652) (#42608)
  • Loading branch information
DiegoAndai authored Jun 11, 2024
1 parent c83dfd8 commit fab86c8
Show file tree
Hide file tree
Showing 2 changed files with 58 additions and 10 deletions.
56 changes: 52 additions & 4 deletions packages/mui-utils/src/deepmerge/deepmerge.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,59 @@ import deepmerge from './deepmerge';

describe('deepmerge', () => {
// https://snyk.io/blog/after-three-years-of-silence-a-new-jquery-prototype-pollution-vulnerability-emerges-once-again/
it('should not be subject to prototype pollution', () => {
deepmerge({}, JSON.parse('{ "myProperty": "a", "__proto__" : { "isAdmin" : true } }'), {
clone: false,
});
it('should not be subject to prototype pollution via __proto__', () => {
const result = deepmerge(
{},
JSON.parse('{ "myProperty": "a", "__proto__" : { "isAdmin" : true } }'),
{
clone: false,
},
);

// @ts-expect-error __proto__ is not on this object type
// eslint-disable-next-line no-proto
expect(result.__proto__).to.have.property('isAdmin');
expect({}).not.to.have.property('isAdmin');
});

// https://cwe.mitre.org/data/definitions/915.html
it('should not be subject to prototype pollution via constructor', () => {
const result = deepmerge(
{},
JSON.parse('{ "myProperty": "a", "constructor" : { "prototype": { "isAdmin" : true } } }'),
{
clone: true,
},
);

expect(result.constructor.prototype).to.have.property('isAdmin');
expect({}).not.to.have.property('isAdmin');
});

// https://cwe.mitre.org/data/definitions/915.html
it('should not be subject to prototype pollution via prototype', () => {
const result = deepmerge(
{},
JSON.parse('{ "myProperty": "a", "prototype": { "isAdmin" : true } }'),
{
clone: false,
},
);

// @ts-expect-error prototype is not on this object type
expect(result.prototype).to.have.property('isAdmin');
expect({}).not.to.have.property('isAdmin');
});

it('should appropriately copy the fields without prototype pollution', () => {
const result = deepmerge(
{},
JSON.parse('{ "myProperty": "a", "__proto__" : { "isAdmin" : true } }'),
);

// @ts-expect-error __proto__ is not on this object type
// eslint-disable-next-line no-proto
expect(result.__proto__).to.have.property('isAdmin');
expect({}).not.to.have.property('isAdmin');
});

Expand Down
12 changes: 6 additions & 6 deletions packages/mui-utils/src/deepmerge/deepmerge.ts
Original file line number Diff line number Diff line change
Expand Up @@ -41,12 +41,12 @@ export default function deepmerge<T>(

if (isPlainObject(target) && isPlainObject(source)) {
Object.keys(source).forEach((key) => {
// Avoid prototype pollution
if (key === '__proto__') {
return;
}

if (isPlainObject(source[key]) && key in target && isPlainObject(target[key])) {
if (
isPlainObject(source[key]) &&
// Avoid prototype pollution
Object.prototype.hasOwnProperty.call(target, key) &&
isPlainObject(target[key])
) {
// Since `output` is a clone of `target` and we have narrowed `target` in this block we can cast to the same type.
(output as Record<keyof any, unknown>)[key] = deepmerge(target[key], source[key], options);
} else if (options.clone) {
Expand Down

0 comments on commit fab86c8

Please sign in to comment.