Mirrors/lodash
1
0
Fork 0
mirror of https://github.com/whoisclebs/lodash.git synced 2026-01-29 06:27:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(zipObjectDeep): prototype pollution (#4759)

Browse Source
This commit is contained in:
Jakub Mikulas
2020-07-02 23:47:49 +02:00
committed by GitHub
parent e7b28ea6cb
commit c84fe82760
2 changed files with 37 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
test/test.js
View File

@@ -25799,6 +25799,39 @@
});
});
// zipObjectDeep prototype pollution
['__proto__', 'constructor', 'prototype'].forEach(function (keyToTest) {
QUnit.test('zipObjectDeep is not setting ' + keyToTest + ' on global', function (assert) {
assert.expect(1);
_.zipObjectDeep([keyToTest + '.a'], ['newValue']);
// Can't access plain `a` as it's not defined and test fails
assert.notEqual(root['a'], 'newValue');
});
QUnit.test('zipObjectDeep is not overwriting ' + keyToTest + ' on vars', function (assert) {
assert.expect(3);
const b = 'oldValue'
_.zipObjectDeep([keyToTest + '.b'], ['newValue']);
assert.equal(b, 'oldValue');
assert.notEqual(root['b'], 'newValue');
// ensure nothing was created
assert.notOk(root['b']);
});
QUnit.test('zipObjectDeep is not overwriting global.' + keyToTest, function (assert) {
assert.expect(2);
_.zipObjectDeep([root + '.' + keyToTest + '.c'], ['newValue']);
assert.notEqual(root['c'], 'newValue');
// ensure nothing was created
assert.notOk(root['c']);
});
});
/*--------------------------------------------------------------------------*/
QUnit.module('lodash.zipWith');