fix proto pollution vulnerability (#2239)

marcus13371337 · web-flow · commit 00bdd0a7ffdf · 2023-05-21T18:06:58.000-07:00
diff --git a/deno/lib/__tests__/record.test.ts b/deno/lib/__tests__/record.test.ts
@@ -134,3 +134,40 @@ test("key and value getters", () => {
   rec.valueSchema.parse(1234);
   rec.element.parse(1234);
 });
+
+test("is not vulnerable to prototype pollution", async () => {
+  const rec = z.record(
+    z.object({
+      a: z.string(),
+    })
+  );
+
+  const data = JSON.parse(`
+    {
+      "__proto__": {
+        "a": "evil"
+      },
+      "b": {
+        "a": "good"
+      }
+    }
+  `);
+
+  const obj1 = rec.parse(data);
+  expect(obj1.a).toBeUndefined();
+
+  const obj2 = rec.safeParse(data);
+  expect(obj2.success).toBe(true);
+  if (obj2.success) {
+    expect(obj2.data.a).toBeUndefined();
+  }
+
+  const obj3 = await rec.parseAsync(data);
+  expect(obj3.a).toBeUndefined();
+
+  const obj4 = await rec.safeParseAsync(data);
+  expect(obj4.success).toBe(true);
+  if (obj4.success) {
+    expect(obj4.data.a).toBeUndefined();
+  }
+});
diff --git a/deno/lib/helpers/parseUtil.ts b/deno/lib/helpers/parseUtil.ts
@@ -136,7 +136,10 @@ export class ParseStatus {
       if (key.status === "dirty") status.dirty();
       if (value.status === "dirty") status.dirty();
 
-      if (typeof value.value !== "undefined" || pair.alwaysSet) {
+      if (
+        key.value !== "__proto__" &&
+        (typeof value.value !== "undefined" || pair.alwaysSet)
+      ) {
         finalObject[key.value] = value.value;
       }
     }
diff --git a/src/__tests__/record.test.ts b/src/__tests__/record.test.ts
@@ -133,3 +133,40 @@ test("key and value getters", () => {
   rec.valueSchema.parse(1234);
   rec.element.parse(1234);
 });
+
+test("is not vulnerable to prototype pollution", async () => {
+  const rec = z.record(
+    z.object({
+      a: z.string(),
+    })
+  );
+
+  const data = JSON.parse(`
+    {
+      "__proto__": {
+        "a": "evil"
+      },
+      "b": {
+        "a": "good"
+      }
+    }
+  `);
+
+  const obj1 = rec.parse(data);
+  expect(obj1.a).toBeUndefined();
+
+  const obj2 = rec.safeParse(data);
+  expect(obj2.success).toBe(true);
+  if (obj2.success) {
+    expect(obj2.data.a).toBeUndefined();
+  }
+
+  const obj3 = await rec.parseAsync(data);
+  expect(obj3.a).toBeUndefined();
+
+  const obj4 = await rec.safeParseAsync(data);
+  expect(obj4.success).toBe(true);
+  if (obj4.success) {
+    expect(obj4.data.a).toBeUndefined();
+  }
+});
diff --git a/src/helpers/parseUtil.ts b/src/helpers/parseUtil.ts
@@ -136,7 +136,10 @@ export class ParseStatus {
       if (key.status === "dirty") status.dirty();
       if (value.status === "dirty") status.dirty();
 
-      if (typeof value.value !== "undefined" || pair.alwaysSet) {
+      if (
+        key.value !== "__proto__" &&
+        (typeof value.value !== "undefined" || pair.alwaysSet)
+      ) {
         finalObject[key.value] = value.value;
       }
     }

Original file line number	Diff line number	Diff line change
`@@ -136,7 +136,10 @@ export class ParseStatus {`
`136`	`136`	`if (key.status === "dirty") status.dirty();`
`137`	`137`	`if (value.status === "dirty") status.dirty();`
`138`	`138`
`139`		`- if (typeof value.value !== "undefined" \|\| pair.alwaysSet) {`
	`139`	`+ if (`
	`140`	`+ key.value !== "__proto__" &&`
	`141`	`+ (typeof value.value !== "undefined" \|\| pair.alwaysSet)`
	`142`	`+ ) {`
`140`	`143`	`finalObject[key.value] = value.value;`
`141`	`144`	`}`
`142`	`145`	`}`