fix: prevent prototype pollution in lodashUtil.merge and mergeWith#2869
Conversation
|
|
@copilot 没看到 packages/utils/src/lodash-adapter.ts 的 diff 修改。 |
The fix to The old version (up through the Beta commit) imported import merge from 'lodash/merge';
import mergeWith from 'lodash/mergeWith';The new custom implementation already includes the prototype pollution guard: if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
continue;
}Since that fix landed on master before this branch was cut, our PR diff only shows the added test coverage. The changeset entry |
lodashUtil.merge()andmergeWith()iterated source keys withfor...inwithout filtering__proto__,constructor, orprototype, allowing a JSON-parsed config with an own-enumerable__proto__property to write attacker-controlled values ontoObject.prototype.Changes
packages/utils/src/lodash-adapter.ts: Skip__proto__,constructor, andprototypekeys in bothmerge()andmergeWith()during recursive iterationpackages/utils/__tests__/lodash-adapter.spec.ts: Tests confirmingObject.prototypeis not polluted when merging a maliciousJSON.parse('{"__proto__":{"polluted":"PWNED"}}')payload via either functionThe attack surface was reachable via public API:
new PointLayer(attackerConfig)→scene.addLayer()→BaseLayer.init()→globalConfigService.setLayerConfig()→merge().