Skip to content

Commit

Permalink
Fix prototype pollution vulnerability
Browse files Browse the repository at this point in the history
  • Loading branch information
@aearly
aearly committed Oct 28, 2021
1 parent fc9ba65 commit e1ecdbf
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 0 deletions.
3 changes: 3 additions & 0 deletions lib/internal/iterator.js
View file
Expand Up @@ -26,6 +26,9 @@ function createObjectIterator(obj) {
var len = okeys.length;
return function next() {
var key = okeys[++i];
if (key === '__proto__') {
return next();
}
return i < len ? {value: obj[key], key} : null;
};
}
Expand Down
11 changes: 11 additions & 0 deletions test/mapValues.js
View file
Expand Up @@ -60,6 +60,17 @@ describe('mapValues', () => {
done();
}, 50);
});

it('prototype pollution', (done) => {
var input = JSON.parse('{"a": 1, "b": 2, "__proto__": { "exploit": true }}');

async.mapValues(input, (val, key, next) => {
next(null, val)
}, (err, result) => {
expect(result.exploit).to.equal(undefined)
done(err);
})
})
});

context('mapValues', () => {
Expand Down

3 comments on commit e1ecdbf

@Marynk
Copy link

@Marynk Marynk commented on e1ecdbf Apr 5, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: this fix addresses the vulnerability, registered as CVE-2021-43138.

@mriedem
Copy link

@mriedem mriedem commented on e1ecdbf Apr 8, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any chance this could get backported to a 2.6.x release for those that haven't yet dealt with the 3.0 upgrade and breaking changes?

@mriedem
Copy link

@mriedem mriedem commented on e1ecdbf Apr 8, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any chance this could get backported to a 2.6.x release for those that haven't yet dealt with the 3.0 upgrade and breaking changes?

I've submitted #1828 for a 2.x series backport. I don't really know if it's going to pass (my first time contributing to this repo) so I'm hoping if the maintainer(s) are open to a backport they can take that over if it needs work.

Please sign in to comment.