Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 233ec90

Browse files
ready-researchready-research
authored
Security Fix for Prototype Pollution (#579)
Fixing the issues in set() and deepFillIn()
1 parent 46a319d commit 233ec90

File tree

1 file changed

+2
-0
lines changed

1 file changed

+2
-0
lines changed

src/utils.js

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,7 @@ const mkdirP = function (object, path) {
6262
}
6363
const parts = path.split('.')
6464
parts.forEach(function (key) {
65+
if (isPrototypePolluted(key)) return
6566
if (!object[key]) {
6667
object[key] = {}
6768
}
@@ -419,6 +420,7 @@ const utils = {
419420
deepFillIn (dest, source) {
420421
if (source) {
421422
utils.forOwn(source, function (value, key) {
423+
if (isPrototypePolluted(key)) return
422424
const existing = dest[key]
423425
if (isPlainObject(value) && isPlainObject(existing)) {
424426
utils.deepFillIn(existing, value)

0 commit comments

Comments
 (0)