Mirrors/lodash
1
0
Fork 0
mirror of https://github.com/whoisclebs/lodash.git synced 2026-01-29 06:27:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Prevent prototype pollution on baseUnset function

Browse Source 
* test: add tests to prevent security regressions

* sec: prevent prototype pollution on `baseUnset` function

* chore: improve security patch

- Expand both `_.omit` & `_.unset` security tests to loop over `__proto__`, `constructor`, `prototype`
- Only block `__proto__` if not an own property
This commit is contained in:
Ulises Gascón
2025-12-05 19:26:49 +01:00
committed by jdalton
parent 4879a7a7d0
commit edadd45214
4 changed files with 168 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
test/test.js
View File

@@ -16573,6 +16573,21 @@
assert.deepEqual(object, { 'a': { 'b': 2 } });
});
});
// Prevent regression for https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
QUnit.test('Security: _.omit should not allow modifying prototype or constructor properties', function(assert) {
assert.expect(3);
var testObj1 = {};
assert.strictEqual(typeof testObj1.toString, 'function', 'Object.toString should work before omit');
_.omit({}, ['__proto__.toString']);
_.omit({}, ['constructor.prototype.toString']);
var testObj2 = {};
assert.strictEqual(typeof testObj2.toString, 'function', 'Object.toString should still work after omit');
assert.strictEqual(Object.prototype.toString.call({}), '[object Object]', 'Object.toString should behave as expected');
});
}());
/*--------------------------------------------------------------------------*/
@@ -25239,6 +25254,21 @@
skipAssert(assert);
}
});
// Prevent regression for https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
QUnit.test('Security: _.unset should not allow modifying prototype or constructor properties', function(assert) {
assert.expect(3);
var testStr1 = 'ABC';
assert.strictEqual(typeof testStr1.toLowerCase, 'function', 'String.toLowerCase should exist before unset');
_.unset({ foo: 'bar' }, 'foo.__proto__.toLowerCase');
_.unset({ foo: 'bar' }, 'foo.constructor.prototype.toLowerCase');
var testStr2 = 'ABC';
assert.strictEqual(typeof testStr2.toLowerCase, 'function', 'String.toLowerCase should still exist after unset');
assert.strictEqual(testStr2.toLowerCase(), 'abc', 'String.toLowerCase should work as expected');
});
}());
/*--------------------------------------------------------------------------*/