From 5bcb940ed6d08d68df51ba199762d4eb311c10b0 Mon Sep 17 00:00:00 2001 From: Michael Lumish Date: Wed, 24 Feb 2021 14:54:27 -0800 Subject: [PATCH 1/2] grpc: Fix prototype pollution possibility in loadPackageDefinition --- packages/grpc-native-core/index.js | 2 +- packages/grpc-native-core/package.json | 2 +- packages/grpc-native-core/src/client.js | 4 ++-- packages/grpc-native-core/src/common.js | 10 ++++++++++ 4 files changed, 14 insertions(+), 4 deletions(-) diff --git a/packages/grpc-native-core/index.js b/packages/grpc-native-core/index.js index e9053e8a0..3cb0fd4f5 100644 --- a/packages/grpc-native-core/index.js +++ b/packages/grpc-native-core/index.js @@ -161,7 +161,7 @@ exports.loadPackageDefinition = function loadPackageDefintion(packageDef) { for (const serviceFqn in packageDef) { const service = packageDef[serviceFqn]; const nameComponents = serviceFqn.split('.'); - if (nameComponents.some(comp => comp === '__proto__')) { + if (nameComponents.some(comp => common.isPrototypePolluted(comp))) { continue; } const serviceName = nameComponents[nameComponents.length-1]; diff --git a/packages/grpc-native-core/package.json b/packages/grpc-native-core/package.json index 8a54bb2d9..511bc9399 100644 --- a/packages/grpc-native-core/package.json +++ b/packages/grpc-native-core/package.json @@ -1,6 +1,6 @@ { "name": "grpc", - "version": "1.24.5", + "version": "1.24.6", "author": "Google Inc.", "description": "gRPC Library for Node", "homepage": "https://grpc.io/", diff --git a/packages/grpc-native-core/src/client.js b/packages/grpc-native-core/src/client.js index 7ca1aece5..771cfb9d6 100644 --- a/packages/grpc-native-core/src/client.js +++ b/packages/grpc-native-core/src/client.js @@ -992,7 +992,7 @@ exports.makeClientConstructor = function(methods, serviceName, Object.keys(methods).forEach(name => { const attrs = methods[name]; - if (name === '__proto__') { + if (common.isPrototypePolluted(name)) { return; } if (name.indexOf('$') === 0) { @@ -1014,7 +1014,7 @@ exports.makeClientConstructor = function(methods, serviceName, ServiceClient.prototype.$method_names[attrs.path] = name; // Associate all provided attributes with the method Object.assign(ServiceClient.prototype[name], attrs); - if (attrs.originalName && attrs.originalName !== '__proto__') { + if (attrs.originalName && !common.isPrototypePolluted(attrs.originalName)) { ServiceClient.prototype[attrs.originalName] = ServiceClient.prototype[name]; } diff --git a/packages/grpc-native-core/src/common.js b/packages/grpc-native-core/src/common.js index 2d948335f..5ee872936 100644 --- a/packages/grpc-native-core/src/common.js +++ b/packages/grpc-native-core/src/common.js @@ -148,6 +148,16 @@ exports.zipObject = function(props, values) { }, {}); } +/** + * Returns true, if given key is included in the blacklisted + * keys. + * @param key {String} key for check, string. + * @return {Boolean} + */ +exports.isPrototypePolluted = function(key) { + return ['__proto__', 'prototype', 'constructor'].includes(key); +} + // JSDoc definitions that are used in multiple other modules /** From 9153fd28a92430cdc8881fc23614ecfe734346b6 Mon Sep 17 00:00:00 2001 From: Michael Lumish Date: Mon, 1 Mar 2021 10:11:13 -0800 Subject: [PATCH 2/2] Use indexOf instead of includes for Node 4 compatibility --- packages/grpc-native-core/src/common.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/grpc-native-core/src/common.js b/packages/grpc-native-core/src/common.js index 5ee872936..4dcb31d77 100644 --- a/packages/grpc-native-core/src/common.js +++ b/packages/grpc-native-core/src/common.js @@ -155,7 +155,7 @@ exports.zipObject = function(props, values) { * @return {Boolean} */ exports.isPrototypePolluted = function(key) { - return ['__proto__', 'prototype', 'constructor'].includes(key); + return ['__proto__', 'prototype', 'constructor'].indexOf(key) >= 0; } // JSDoc definitions that are used in multiple other modules