chore(merge): add tests for "__proto__" key (#38)

* fixed issue#33 CVE-2022-25645 added test for it * Apply suggestions from code review Co-authored-by: Timo Machel <timo-benjamin.machel@deutschebahn.com> Co-authored-by: Luke Edwards <luke.edwards05@gmail.com>
lukeed · May 3, 2022 · 845879b · 845879b
1 parent 2d156c7
commit 845879b
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/test/suites/pollution.js b/test/suites/pollution.js
@@ -85,5 +85,15 @@ export default function (dset) {
 		});
 	});
 
+	// Test for CVE-2022-25645 - CWE-1321 
+	pollution('should ignore JSON.parse crafted object with "__proto__" key', () => {
+		let a = { b: { c: 1 } };
+		assert.is(a.polluted, undefined);
+		assert.is({}.polluted, undefined);
+		dset(a, "b", JSON.parse('{"__proto__":{"polluted":"Yes!"}}'));
+		assert.is(a.polluted, undefined);
+		assert.is({}.polluted, undefined);
+	});
+
 	pollution.run();
 }