fix(SearchParameters): ignore invalid parameters (#880)

Haroenv · web-flow · commit 4ff542b70b92 · 2021-10-19T15:00:44.000+01:00
* fix(SearchParameters): ignore invalid parameters

These parameters could be used maliciously, so are explicilty not allowed in merge

* clearer test
diff --git a/src/functions/merge.js b/src/functions/merge.js
@@ -21,7 +21,10 @@ function _merge(target, source) {
   }
 
   for (var key in source) {
-    if (!Object.prototype.hasOwnProperty.call(source, key)) {
+    if (
+      !Object.prototype.hasOwnProperty.call(source, key) ||
+      key === '__proto__'
+    ) {
       continue;
     }
 
@@ -32,7 +35,10 @@ function _merge(target, source) {
       continue;
     }
 
-    if (isObjectOrArrayOrFunction(targetVal) && isObjectOrArrayOrFunction(sourceVal)) {
+    if (
+      isObjectOrArrayOrFunction(targetVal) &&
+      isObjectOrArrayOrFunction(sourceVal)
+    ) {
       target[key] = _merge(targetVal, sourceVal);
     } else {
       target[key] = clone(sourceVal);
diff --git a/test/spec/functions/defaultsPure.js b/test/spec/functions/defaultsPure.js
@@ -92,3 +92,16 @@ it('should keep the keys order when adding facet refinements', function() {
   );
   expect(Object.keys(actual)).toEqual(['facet1', 'facet2']);
 });
+
+it('does not pollute the prototype', () => {
+  var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable to PP"}}');
+  var subject = {};
+
+  expect(subject.polluted).toBe(undefined);
+
+  const out = defaults({}, payload);
+
+  expect(out).toEqual({});
+
+  expect({}.polluted).toBe(undefined);
+});
diff --git a/test/spec/functions/intersection.js b/test/spec/functions/intersection.js
@@ -18,4 +18,3 @@ test('it should not produce duplicate primitive values', function() {
     '2'
   ]);
 });
-
diff --git a/test/spec/functions/merge.js b/test/spec/functions/merge.js
@@ -170,3 +170,16 @@ it('should not convert strings to arrays when merging arrays of `source`', funct
 
   expect(actual).toStrictEqual({a: ['x', 'y', 'z']});
 });
+
+it('does not pollute the prototype', () => {
+  var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable to PP"}}');
+  var subject = {};
+
+  expect(subject.polluted).toBe(undefined);
+
+  const out = merge({}, payload);
+
+  expect(out).toEqual({});
+
+  expect({}.polluted).toBe(undefined);
+});

-Original file line number
+Diff line change
     '2'
   ]);
 });
+-