Avoid calling hasOwnProperty of user-controlled objects

nodeca · Dec 7, 2020 · e852066 · e852066
1 parent 3c55658
commit e852066
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -28,6 +28,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Removed `bower.json`.
 
 
+## [3.14.1] - 2020-12-07
+### Security
+- Fix possible code execution in (already unsafe) `.load()` (in &anchor).
+
+
 ## [3.14.0] - 2020-05-22
 ### Changed
 - Support `safe/loadAll(input, options)` variant of call.

diff --git a/lib/loader.js b/lib/loader.js
@@ -1274,7 +1274,7 @@ function readAlias(state) {
 
   alias = state.input.slice(_position, state.position);
 
-  if (!state.anchorMap.hasOwnProperty(alias)) {
+  if (!_hasOwnProperty.call(state.anchorMap, alias)) {
     throwError(state, 'unidentified alias "' + alias + '"');
   }