Create Objects without prototypes.

This generally helps mitigate prototype pollution: even if another library allows prototype pollution, ejs will not allow escalating this into Remote Code Execution.
mde · May 31, 2021 · be9a9bb · be9a9bb
1 parent 15ee698
commit be9a9bb
Showing 1 changed file with 21 additions and 8 deletions.
diff --git a/lib/ejs.js b/lib/ejs.js
@@ -44,6 +44,7 @@
  * @public
  */
 
+
 var fs = require('fs');
 var path = require('path');
 var utils = require('./utils');
@@ -66,6 +67,17 @@ var _OPTS_PASSABLE_WITH_DATA_EXPRESS = _OPTS_PASSABLE_WITH_DATA.concat('cache');
 var _BOM = /^\uFEFF/;
 var _JS_IDENTIFIER = /^[a-zA-Z_$][0-9a-zA-Z_$]*$/;
 
+var createObj = function() {
+  if (typeof Object.create !== 'function') {
+    return function (o) {
+      function F() {}
+      F.prototype = o;
+      return new F();
+    };
+  }
+  return Object.create;
+}();
+
 /**
  * EJS template function cache. This can be a LRU object from lru-cache NPM
  * module. By default, it is {@link module:utils.cache}, a simple in-process
@@ -306,7 +318,7 @@ function fileLoader(filePath){
  */
 
 function includeFile(path, options) {
-  var opts = utils.shallowCopy({}, options);
+  var opts = utils.shallowCopy(createObj(null), options);
   opts.filename = getIncludePath(path, opts);
   if (typeof options.includer === 'function') {
     var includerResult = options.includer(path, opts.filename);
@@ -412,8 +424,8 @@ exports.compile = function compile(template, opts) {
  */
 
 exports.render = function (template, d, o) {
-  var data = d || {};
-  var opts = o || {};
+  var data = d || createObj(null);
+  var opts = o || createObj(null);
 
   // No options object -- if there are optiony names
   // in the data, copy them to options
@@ -484,7 +496,7 @@ exports.renderFile = function () {
     opts.filename = filename;
   }
   else {
-    data = {};
+    data = createObj(null);
   }
 
   return tryHandleCache(opts, data, cb);
@@ -506,8 +518,8 @@ exports.clearCache = function () {
 };
 
 function Template(text, opts) {
-  opts = opts || {};
-  var options = {};
+  opts = opts || createObj(null);
+  var options = createObj(null);
   this.templateText = text;
   /** @type {string | null} */
   this.mode = null;
@@ -693,13 +705,14 @@ Template.prototype = {
     // Adds a local `include` function which allows full recursive include
     var returnedFn = opts.client ? fn : function anonymous(data) {
       var include = function (path, includeData) {
-        var d = utils.shallowCopy({}, data);
+        var d = utils.shallowCopy(createObj(null), data);
         if (includeData) {
           d = utils.shallowCopy(d, includeData);
         }
         return includeFile(path, opts)(d);
       };
-      return fn.apply(opts.context, [data || {}, escapeFn, include, rethrow]);
+      return fn.apply(opts.context,
+          [data || createObj(null), escapeFn, include, rethrow]);
     };
     if (opts.filename && typeof Object.defineProperty === 'function') {
       var filename = opts.filename;