fixup! fix(merge): Avoid protototype pollution when parsing properties

Signed-off-by: Paul Maréchal <[email protected]>
eclipse-theia · Oct 29, 2020 · 525f4d9 · 525f4d9
1 parent f0171c2
commit 525f4d9
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 8 deletions.
diff --git a/packages/plugin-ext/src/plugin/preference-registry.spec.ts b/packages/plugin-ext/src/plugin/preference-registry.spec.ts
@@ -34,7 +34,6 @@ describe('PreferenceRegistryExtImpl:', () => {
         getProxy,
         set,
         dispose
-
     } as RPCProtocol;
     const mockWorkspace: WorkspaceExtImpl = {} as WorkspaceExtImpl;
 
@@ -67,7 +66,7 @@ describe('PreferenceRegistryExtImpl:', () => {
         };
         const result: { [key: string]: any } = (preferenceRegistryExtImpl as any).parseConfigurationData(value);
         expect(result.my).to.be.an('object');
-        expect(result.__proto__).to.be.equal(Object.prototype);
+        expect(result.__proto__).to.be.an('undefined');
         expect(result.my.key1.foo).to.equal('value1');
         const prototypeObject = Object.prototype as any;
         expect(prototypeObject.injectedParsedPrototype).to.be.an('undefined');
@@ -83,7 +82,7 @@ describe('PreferenceRegistryExtImpl:', () => {
         };
         const result: { [key: string]: any } = (preferenceRegistryExtImpl as any).parseConfigurationData(value);
         expect(result.my).to.be.an('object');
-        expect(result.__proto__).to.be.equal(Object.prototype);
+        expect(result.__proto__).to.be.an('undefined');
         expect(result.my.key1.foo).to.equal('value1');
         const prototypeObject = Object.prototype as any;
         expect(prototypeObject.injectedParsedConstructorPrototype).to.be.an('undefined');

diff --git a/packages/plugin-ext/src/plugin/preference-registry.ts b/packages/plugin-ext/src/plugin/preference-registry.ts
@@ -31,7 +31,7 @@ import { Configuration, ConfigurationModel } from './preferences/configuration';
 import { WorkspaceExtImpl } from './workspace';
 import cloneDeep = require('lodash.clonedeep');
 
-const prototypePropertyRe = /\b__proto__\b|\bconstructor.prototype\b/;
+const injectionRe = /\b__proto__\b|\bconstructor\.prototype\b/;
 
 enum ConfigurationTarget {
     Global = 1,
@@ -240,7 +240,10 @@ export class PreferenceRegistryExtImpl implements PreferenceRegistryExt {
     private readonly OVERRIDE_PROPERTY_PATTERN = new RegExp(this.OVERRIDE_PROPERTY);
 
     private parseConfigurationData(data: { [key: string]: any }): { [key: string]: any } {
-        return Object.keys(data).filter(key => !prototypePropertyRe.test(key)).reduce((result: any, key: string) => {
+        return Object.keys(data).reduce((result: any, key: string) => {
+            if (injectionRe.test(key)) {
+                return result;
+            }
             const parts = key.split('.');
             let branch = result;
 
@@ -250,7 +253,7 @@ export class PreferenceRegistryExtImpl implements PreferenceRegistryExt {
                     continue;
                 }
                 if (!branch[parts[i]]) {
-                    branch[parts[i]] = {};
+                    branch[parts[i]] = Object.create(null);
                 }
                 branch = branch[parts[i]];
 
@@ -265,7 +268,7 @@ export class PreferenceRegistryExtImpl implements PreferenceRegistryExt {
                 }
             }
             return result;
-        }, {});
+        }, Object.create(null));
     }
 
     private toConfigurationChangeEvent(eventData: PreferenceChangeExt[]): theia.ConfigurationChangeEvent {

diff --git a/packages/plugin-ext/src/plugin/preferences/configuration.ts b/packages/plugin-ext/src/plugin/preferences/configuration.ts
@@ -110,7 +110,7 @@ export class Configuration {
 export class ConfigurationModel {
 
     constructor(
-        private contents: any = {},
+        private contents: any = Object.create(null),
         private keys: string[] = [],
     ) { }