Skip to content

Commit 3c0c11c

Browse files
fix(security): fixed formToJSON prototype pollution vulnerability; (#6167)
1 parent 75af1cd commit 3c0c11c

2 files changed

Lines changed: 24 additions & 0 deletions

File tree

lib/helpers/formDataToJSON.js

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,9 @@ function arrayToObject(arr) {
4949
function formDataToJSON(formData) {
5050
function buildPath(path, value, target, index) {
5151
let name = path[index++];
52+
53+
if (name === '__proto__') return true;
54+
5255
const isNumericKey = Number.isFinite(+name);
5356
const isLast = index >= path.length;
5457
name = !name && utils.isArray(target) ? target.length : name;

test/specs/helpers/formDataToJSON.spec.js

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,4 +47,25 @@ describe('formDataToJSON', function () {
4747
foo: ['1', '2']
4848
});
4949
});
50+
51+
it('should resist prototype pollution CVE', () => {
52+
const formData = new FormData();
53+
54+
formData.append('foo[0]', '1');
55+
formData.append('foo[1]', '2');
56+
formData.append('__proto__.x', 'hack');
57+
formData.append('constructor.prototype.y', 'value');
58+
59+
expect(formDataToJSON(formData)).toEqual({
60+
foo: ['1', '2'],
61+
constructor: {
62+
prototype: {
63+
y: 'value'
64+
}
65+
}
66+
});
67+
68+
expect({}.x).toEqual(undefined);
69+
expect({}.y).toEqual(undefined);
70+
});
5071
});

0 commit comments

Comments
 (0)