fix: address prototype pollution issue (#108)

bcoe · web-flow · commit a9ac604abf75 · 2020-10-25T07:59:56.000-07:00
diff --git a/lib/index.ts b/lib/index.ts
@@ -47,7 +47,7 @@ class Y18N {
     this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
 
     // internal stuff.
-    this.cache = {}
+    this.cache = Object.create(null)
     this.writeQueue = []
   }
 
diff --git a/test/y18n-test.cjs b/test/y18n-test.cjs
@@ -351,6 +351,24 @@ describe('y18n', function () {
     })
   })
 
+  // See: https://github.com/yargs/y18n/issues/96,
+  // https://github.com/yargs/y18n/pull/107
+  describe('prototype pollution', () => {
+    it('does not pollute prototype, with __proto__ locale', () => {
+      const y = y18n()
+      y.setLocale('__proto__')
+      y.updateLocale({ polluted: '👽' })
+      y.__('polluted').should.equal('👽')
+      ;(typeof polluted).should.equal('undefined')
+    })
+
+    it('does not pollute prototype, when __ is used with __proto__ locale', () => {
+      const __ = y18n({ locale: '__proto__' }).__
+      __('hello')
+      ;(typeof {}.hello).should.equal('undefined')
+    })
+  })
+
   after(function () {
     rimraf.sync('./test/locales/fr.json')
   })

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ class Y18N {`
`47`	`47`	`this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true`
`48`	`48`
`49`	`49`	`// internal stuff.`
`50`		`- this.cache = {}`
	`50`	`+ this.cache = Object.create(null)`
`51`	`51`	`this.writeQueue = []`
`52`	`52`	`}`
`53`	`53`