Merge pull request #262 from 418sec/1-npm-fast-json-patch

Security Fix for Prototype Pollution - huntr.dev
Starcounter-Jack · Aug 13, 2021 · 7ad6af4 · 7ad6af4
2 parents 34d6405 + 5edc97d
commit 7ad6af4
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 6 deletions.
diff --git a/commonjs/core.js b/commonjs/core.js
@@ -188,8 +188,10 @@ function applyOperation(document, operation, validateOperation, mutateDocument,
             if (key && key.indexOf('~') != -1) {
                 key = helpers_js_1.unescapePathComponent(key);
             }
-            if (banPrototypeModifications && key == '__proto__') {
-                throw new TypeError('JSON-Patch: modifying `__proto__` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
+            if (banPrototypeModifications &&
+                (key == '__proto__' ||
+                    (key == 'prototype' && t > 0 && keys[t - 1] == 'constructor'))) {
+                throw new TypeError('JSON-Patch: modifying `__proto__` or `constructor/prototype` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
             }
             if (validateOperation) {
                 if (existingPathFragment === undefined) {

diff --git a/module/core.mjs b/module/core.mjs
@@ -186,8 +186,10 @@ export function applyOperation(document, operation, validateOperation, mutateDoc
             if (key && key.indexOf('~') != -1) {
                 key = unescapePathComponent(key);
             }
-            if (banPrototypeModifications && key == '__proto__') {
-                throw new TypeError('JSON-Patch: modifying `__proto__` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
+            if (banPrototypeModifications &&
+                (key == '__proto__' ||
+                    (key == 'prototype' && t > 0 && keys[t - 1] == 'constructor'))) {
+                throw new TypeError('JSON-Patch: modifying `__proto__` or `constructor/prototype` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
             }
             if (validateOperation) {
                 if (existingPathFragment === undefined) {

diff --git a/src/core.ts b/src/core.ts
@@ -251,8 +251,11 @@ export function applyOperation<T>(document: T, operation: Operation, validateOpe
         key = unescapePathComponent(key);
       }
 
-      if(banPrototypeModifications && key == '__proto__') {
-        throw new TypeError('JSON-Patch: modifying `__proto__` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
+      if(banPrototypeModifications && 
+          (key == '__proto__' || 
+          (key == 'prototype' && t>0 && keys[t-1] == 'constructor'))
+        ) {
+        throw new TypeError('JSON-Patch: modifying `__proto__` or `constructor/prototype` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
       }
 
       if (validateOperation) {