Skip to content

Commit

Permalink
fix(core): fixed __proto__ pollution
Browse files Browse the repository at this point in the history
  • Loading branch information
@nolimits4web
nolimits4web committed Mar 25, 2021
1 parent 3aad554 commit 9dad273
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/utils/utils.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ function extend(...args) {
for (let i = 1; i < args.length; i += 1) {
const nextSource = args[i];
if (nextSource !== undefined && nextSource !== null) {
const keysArray = Object.keys(Object(nextSource));
const keysArray = Object.keys(Object(nextSource)).filter((key) => key !== '__proto__');
for (let nextIndex = 0, len = keysArray.length; nextIndex < len; nextIndex += 1) {
const nextKey = keysArray[nextIndex];
const desc = Object.getOwnPropertyDescriptor(nextSource, nextKey);
Expand Down

3 comments on commit 9dad273

@lobosan
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, is it possible for you guys to add this fix to swiper v5?
We are running vue 2 so we cannot update to swiper 6
and dependabot is warning us about this critical vulnerability :(

@vltansky
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lobosan you can open PR to Swiper v5 branch

@lobosan
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vltansky someone already created a PR
#4692

Although, not sure if it is needed to check constructor and prototype as well, like this
https://github.com/ionic-team/ionic-framework/pull/23344/files

Please sign in to comment.