File tree 2 files changed +12
-1
lines changed
2 files changed +12
-1
lines changed Original file line number Diff line number Diff line change @@ -6,8 +6,17 @@ export default function klona(x) {
66 if ( str === '[object Object]' ) {
77 tmp = { } ;
88 for ( k in x ) {
9+ if ( k === '__proto__' ) {
10+ Object . defineProperty ( tmp , k , {
11+ value : klona ( x [ k ] ) ,
12+ configurable : 1 ,
13+ enumerable : 1 ,
14+ writable : 1 ,
15+ } ) ;
16+ } else {
917 tmp [ k ] = klona ( x [ k ] ) ;
1018 }
19+ }
1120 return tmp ;
1221 }
1322
Original file line number Diff line number Diff line change @@ -99,16 +99,17 @@ test('constructor :: pollution', t => {
9999 ) ;
100100
101101 t . not ( ( { } ) [ 'a0' ] , true , 'Safe POJO' ) ;
102+ t . not ( new Object ( ) [ 'a0' ] , true , 'Safe Object' ) ;
102103 t . not ( input [ 'a0' ] , true , 'Safe input' ) ;
103104 t . not ( output [ 'a0' ] , true , 'Safe output' ) ;
104105
105106 t . end ( ) ;
106107} ) ;
107108
108109
110+ // @see https://snyk.io/vuln/SNYK-JS-LODASH-450202
109111test ( 'prototype :: pollution' , t => {
110112 const payload = '{"__proto__":{"a0":true}}' ;
111-
112113 const input = JSON . parse ( payload ) ;
113114 const output = klona ( input ) ;
114115
@@ -118,6 +119,7 @@ test('prototype :: pollution', t => {
118119 ) ;
119120
120121 t . not ( ( { } ) [ 'a0' ] , true , 'Safe POJO' ) ;
122+ t . not ( new Object ( ) [ 'a0' ] , true , 'Safe Object' ) ;
121123 t . not ( input [ 'a0' ] , true , 'Safe input' ) ;
122124 t . not ( output [ 'a0' ] , true , 'Safe output' ) ;
123125
You can’t perform that action at this time.
0 commit comments