Merge pull request #336 from snyk/fix/predefine-pp

fix: replace vulnerable merge function of predefine package with not vulnerable lodash.merge implementation

lib/index.js

@@ -1,3 +1,8 @@
+// This is the temporary fix for https://snyk.io/vuln/SNYK-JS-PREDEFINE-1054935
+// The vulnerability is introduced via snyk-broker@* › primus@6.1.0 › fusing@1.0.0 › predefine@0.1.2
+// We require predefine early to replace vulnerable function `merge` with not vulnerable analog `lodash.merge`.
+require('predefine').merge = require('lodash.merge');
+
 require('clarify'); // clean the stacktraces
 const path = require('path');
 const yaml = require('js-yaml');

package.json

@@ -62,6 +62,7 @@
     "js-yaml": "^3.13.1",
     "lodash.escaperegexp": "^4.1.2",
     "lodash.mapvalues": "^4.6.0",
+    "lodash.merge": "^4.6.2",
     "minimatch": "^3.0.4",
     "minimist": "^1.2.5",
     "node-cache": "^5.1.0",

test/unit/predefine-pp-hotfix.test.ts

@@ -0,0 +1,11 @@
+describe('predefine prototype pollution', () => {
+  it('is not exploitable', () => {
+    require('../../lib/index');
+
+    require('primus').prototype.merge(
+      {},
+      JSON.parse('{"__proto__": {"a": "b"}}'),
+    );
+    expect(({} as any).a).toBeUndefined();
+  });
+});