fix(core): fixed __proto__ pollution

nolimits4web · nolimits4web · commit ec358deab79a · 2021-03-29T12:00:50.000+03:00
diff --git a/src/angular/src/utils/utils.ts b/src/angular/src/utils/utils.ts
@@ -8,20 +8,23 @@ export function isObject(o) {
 }
 
 export function extend(target, src) {
-  Object.keys(src).forEach((key) => {
-    if (typeof target[key] === 'undefined') {
-      target[key] = src[key];
-      return;
-    }
-    if (target[key] && !src[key]) {
-      return;
-    }
-    if (isObject(src[key]) && isObject(target[key]) && Object.keys(src[key]).length > 0) {
-      extend(target[key], src[key]);
-    } else {
-      target[key] = src[key];
-    }
-  });
+  const noExtend = ['__proto__', 'constructor', 'prototype'];
+  Object.keys(src)
+    .filter((key) => noExtend.indexOf(key) < 0)
+    .forEach((key) => {
+      if (typeof target[key] === 'undefined') {
+        target[key] = src[key];
+        return;
+      }
+      if (target[key] && !src[key]) {
+        return;
+      }
+      if (isObject(src[key]) && isObject(target[key]) && Object.keys(src[key]).length > 0) {
+        extend(target[key], src[key]);
+      } else {
+        target[key] = src[key];
+      }
+    });
 }
 
 export function coerceBooleanProperty(value: any): boolean {
diff --git a/src/react/utils.js b/src/react/utils.js
@@ -8,14 +8,17 @@ function isObject(o) {
 }
 
 function extend(target, src) {
-  Object.keys(src).forEach((key) => {
-    if (typeof target[key] === 'undefined') target[key] = src[key];
-    else if (isObject(src[key]) && isObject(target[key]) && Object.keys(src[key]).length > 0) {
-      extend(target[key], src[key]);
-    } else {
-      target[key] = src[key];
-    }
-  });
+  const noExtend = ['__proto__', 'constructor', 'prototype'];
+  Object.keys(src)
+    .filter((key) => noExtend.indexOf(key) < 0)
+    .forEach((key) => {
+      if (typeof target[key] === 'undefined') target[key] = src[key];
+      else if (isObject(src[key]) && isObject(target[key]) && Object.keys(src[key]).length > 0) {
+        extend(target[key], src[key]);
+      } else {
+        target[key] = src[key];
+      }
+    });
 }
 
 function needsNavigation(params = {}) {
diff --git a/src/svelte/utils.js b/src/svelte/utils.js
@@ -8,14 +8,17 @@ function isObject(o) {
 }
 
 function extend(target, src) {
-  Object.keys(src).forEach((key) => {
-    if (typeof target[key] === 'undefined') target[key] = src[key];
-    else if (isObject(src[key]) && isObject(target[key]) && Object.keys(src[key]).length > 0) {
-      extend(target[key], src[key]);
-    } else {
-      target[key] = src[key];
-    }
-  });
+  const noExtend = ['__proto__', 'constructor', 'prototype'];
+  Object.keys(src)
+    .filter((key) => noExtend.indexOf(key) < 0)
+    .forEach((key) => {
+      if (typeof target[key] === 'undefined') target[key] = src[key];
+      else if (isObject(src[key]) && isObject(target[key]) && Object.keys(src[key]).length > 0) {
+        extend(target[key], src[key]);
+      } else {
+        target[key] = src[key];
+      }
+    });
 }
 
 function needsNavigation(params = {}) {
diff --git a/src/utils/utils.js b/src/utils/utils.js
@@ -94,10 +94,11 @@ function isObject(o) {
 }
 function extend(...args) {
   const to = Object(args[0]);
+  const noExtend = ['__proto__', 'constructor', 'prototype'];
   for (let i = 1; i < args.length; i += 1) {
     const nextSource = args[i];
     if (nextSource !== undefined && nextSource !== null) {
-      const keysArray = Object.keys(Object(nextSource)).filter((key) => key !== '__proto__');
+      const keysArray = Object.keys(Object(nextSource)).filter((key) => noExtend.indexOf(key) < 0);
       for (let nextIndex = 0, len = keysArray.length; nextIndex < len; nextIndex += 1) {
         const nextKey = keysArray[nextIndex];
         const desc = Object.getOwnPropertyDescriptor(nextSource, nextKey);
diff --git a/src/vue/utils.js b/src/vue/utils.js
@@ -8,14 +8,17 @@ function isObject(o) {
 }
 
 function extend(target, src) {
-  Object.keys(src).forEach((key) => {
-    if (typeof target[key] === 'undefined') target[key] = src[key];
-    else if (isObject(src[key]) && isObject(target[key]) && Object.keys(src[key]).length > 0) {
-      extend(target[key], src[key]);
-    } else {
-      target[key] = src[key];
-    }
-  });
+  const noExtend = ['__proto__', 'constructor', 'prototype'];
+  Object.keys(src)
+    .filter((key) => noExtend.indexOf(key) < 0)
+    .forEach((key) => {
+      if (typeof target[key] === 'undefined') target[key] = src[key];
+      else if (isObject(src[key]) && isObject(target[key]) && Object.keys(src[key]).length > 0) {
+        extend(target[key], src[key]);
+      } else {
+        target[key] = src[key];
+      }
+    });
 }
 
 function needsNavigation(props = {}) {
