From 5474c8756c599fa97c1546cfdd1a60b81cc8cb1e Mon Sep 17 00:00:00 2001 From: Pionxzh Date: Tue, 16 Jan 2024 10:24:32 +0800 Subject: [PATCH] fix: prevent prototype polluting --- src/utils/index.ts | 3 +++ tests/util.test.tsx | 14 ++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/src/utils/index.ts b/src/utils/index.ts index 5ff4392b..d67cdcfc 100644 --- a/src/utils/index.ts +++ b/src/utils/index.ts @@ -82,6 +82,9 @@ export function deleteValue (input: any, path: (string | number)[], value: any) const [key, ...restPath] = path if (key !== undefined) { + if (key === '__proto__') { + throw new TypeError('Modification of prototype is not allowed') + } if (restPath.length > 0) { input[key] = deleteValue(input[key], restPath, value) } else { diff --git a/tests/util.test.tsx b/tests/util.test.tsx index ac2852cb..65ab2e33 100644 --- a/tests/util.test.tsx +++ b/tests/util.test.tsx @@ -17,6 +17,13 @@ describe('function applyValue', () => { }).toThrow() }) + test('prototype polluting', () => { + const original = {} + expect(() => { + applyValue(original, ['__proto__', 'polluted'], 1) + }).toThrow() + }) + test('undefined', () => { patches.forEach(patch => { const newValue = applyValue(undefined, [], patch) @@ -101,6 +108,13 @@ describe('function deleteValue', () => { }).toThrow() }) + test('prototype polluting', () => { + const original = {} + expect(() => { + deleteValue(original, ['__proto__', 'polluted'], 1) + }).toThrow() + }) + test('undefined', () => { patches.forEach(patch => { const newValue = deleteValue(undefined, [], patch)