From 22f146111f541d9737e832823699ad3528ca7741 Mon Sep 17 00:00:00 2001 From: Kris Zyp Date: Sat, 9 Oct 2021 15:53:41 -0600 Subject: [PATCH] Don't allow __proto__ property to be used for schema default/coerce, fixes #84 --- .gitignore | 2 ++ lib/validate.js | 2 +- test/tests.js | 26 ++++++++++++++++++++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 3c3629e..4dfb120 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ node_modules +yarn.lock +.vscode \ No newline at end of file diff --git a/lib/validate.js b/lib/validate.js index 824a4b8..99c9c9c 100644 --- a/lib/validate.js +++ b/lib/validate.js @@ -207,7 +207,7 @@ var validate = exports._validate = function(/*Any*/instance,/*Object*/schema,/*O } for(var i in objTypeDef){ - if(objTypeDef.hasOwnProperty(i)){ + if(objTypeDef.hasOwnProperty(i) && i != '__proto__'){ var value = instance[i]; // skip _not_ specified properties if (value === undefined && options.existingOnly) continue; diff --git a/test/tests.js b/test/tests.js index 784085f..0830ca8 100644 --- a/test/tests.js +++ b/test/tests.js @@ -92,4 +92,30 @@ var suite = vows.describe('JSON Schema').addBatch({ 'Json-Ref self-validates': assertSelfValidates('json-ref'), 'Json-Ref/Hyper': assertValidates('json-ref', 'hyper-schema'), 'Json-Ref/Core': assertValidates('json-ref', 'schema')*/ + prototypePollution: function() { + console.log('testing') + const instance = JSON.parse(` + { + "$schema":{ + "type": "object", + "properties":{ + "__proto__": { + "type": "object", + + "properties":{ + "polluted": { + "type": "string", + "default": "polluted" + } + } + } + }, + "__proto__": {} + } + }`); + + const a = {}; + validate(instance); + assert.equal(a.polluted, undefined); + } }).export(module);