Fixing GHSA-hpqf-m68j-2pfx Prototype Pollution

Signed-off-by: Charlie Fish <[email protected]>

Author: fishcharlie

lib/set.ts

@@ -2,6 +2,13 @@ import {GeneralObject, GeneralObjectOrValue} from "./types";
 
 export = <T>(object: GeneralObject<T>, key: string, value: any): GeneralObject<T> => {
 	const keyParts = key.split(".");
+
+	// Protect against prototype pollution
+	if (keyParts.includes("__proto__") || keyParts.includes("constructor")) {
+		// If the key is __proto__ or constructor, return the object and do nothing since this is a security risk.
+		return object;
+	}
+
 	let objectRef: GeneralObjectOrValue<T> = object;
 	keyParts.forEach((part: string | number, index: number) => {
 		if (keyParts.length - 1 === index) {
@@ -16,9 +23,7 @@ export = <T>(object: GeneralObject<T>, key: string, value: any): GeneralObject<T
 	});
 
 	const finalKey: string = keyParts[keyParts.length - 1];
-	if (finalKey !== "__proto__" && finalKey !== "constructor") {
-		objectRef[finalKey] = value;
-	}
+	objectRef[finalKey] = value;
 
 	return object;
 };

test/set.js

@@ -54,4 +54,18 @@ describe("utils.set", () => {
 			expect(utils.set(...test.input)).to.eql(test.output);
 		});
 	});
+
+	it("Should protect against prototype pollution when using Reflect.apply for __proto__", () => {
+		let obj = {};
+		expect(JSON.stringify({}.__proto__)).to.eql("{}");
+		try {
+			// for multiple functions, uncomment only one for each execution.
+			Reflect.apply(utils.set, {}, [obj, "__proto__.pollutedKey", 123]);
+		} catch (e) {
+			expect(e).to.not.exist();
+		}
+		expect(JSON.stringify({}.__proto__)).to.eql("{}");
+		expect(Object.prototype.pollutedKey).to.be.undefined;
+		delete Object.prototype.pollutedKey;
+	});
 });