Skip to content

Commit

Permalink
Fix prototype pollution security issue. fixes #1331
Browse files Browse the repository at this point in the history
  • Loading branch information
ChenKS12138 authored and fdintino committed Nov 25, 2020
1 parent f51afa3 commit aa9e5b9
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 1 deletion.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ Unreleased
* Add `base` arg to
[`int` filter](https://mozilla.github.io/nunjucks/templating.html#int).
* Move `chokidar` to `peerDependencies` and mark it `optional` in `peerDependenciesMeta`.
* Fix prototype pollution issue for template variables. Merge of
[#1330](https://github.com/mozilla/nunjucks/pull/1330); fixes
[#1331](https://github.com/mozilla/nunjucks/issues/1331). Thanks
[ChenKS12138](https://github.com/ChenKS12138)!

3.2.2 (Jul 20 2020)
-------------------
Expand Down
2 changes: 1 addition & 1 deletion nunjucks/src/runtime.js
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ var supportsIterators = (
// variables, for example.
class Frame {
constructor(parent, isolateWrites) {
this.variables = {};
this.variables = Object.create(null);
this.parent = parent;
this.topLevel = false;
// if this is true, writes (set) should never propagate upwards past
Expand Down
16 changes: 16 additions & 0 deletions tests/runtime.js
Original file line number Diff line number Diff line change
Expand Up @@ -110,5 +110,21 @@

finish(done);
});

it('should not read variables property from Object.prototype', function(done) {
var payload = 'function(){ return 1+2; }()';
var data = {};
Object.getPrototypeOf(data).payload = payload;

render('{{ payload }}', data, {
noThrow: true
}, function(err, res) {
expect(err).to.equal(null);
expect(res).to.equal(payload);
});
delete Object.getPrototypeOf(data).payload;

finish(done);
});
});
}());

0 comments on commit aa9e5b9

Please sign in to comment.