fix proto pollution vulnerability (#2239)

colinhacks · May 22, 2023 · 00bdd0a · 00bdd0a
1 parent 2270ae5
commit 00bdd0a
Show file tree

Hide file tree

Showing 4 changed files with 82 additions and 2 deletions.
diff --git a/deno/lib/__tests__/record.test.ts b/deno/lib/__tests__/record.test.ts
@@ -134,3 +134,40 @@ test("key and value getters", () => {
   rec.valueSchema.parse(1234);
   rec.element.parse(1234);
 });
+
+test("is not vulnerable to prototype pollution", async () => {
+  const rec = z.record(
+    z.object({
+      a: z.string(),
+    })
+  );
+
+  const data = JSON.parse(`
+    {
+      "__proto__": {
+        "a": "evil"
+      },
+      "b": {
+        "a": "good"
+      }
+    }
+  `);
+
+  const obj1 = rec.parse(data);
+  expect(obj1.a).toBeUndefined();
+
+  const obj2 = rec.safeParse(data);
+  expect(obj2.success).toBe(true);
+  if (obj2.success) {
+    expect(obj2.data.a).toBeUndefined();
+  }
+
+  const obj3 = await rec.parseAsync(data);
+  expect(obj3.a).toBeUndefined();
+
+  const obj4 = await rec.safeParseAsync(data);
+  expect(obj4.success).toBe(true);
+  if (obj4.success) {
+    expect(obj4.data.a).toBeUndefined();
+  }
+});
diff --git a/deno/lib/helpers/parseUtil.ts b/deno/lib/helpers/parseUtil.ts
@@ -136,7 +136,10 @@ export class ParseStatus {
       if (key.status === "dirty") status.dirty();
       if (value.status === "dirty") status.dirty();
 
-      if (typeof value.value !== "undefined" || pair.alwaysSet) {
+      if (
+        key.value !== "__proto__" &&
+        (typeof value.value !== "undefined" || pair.alwaysSet)
+      ) {
         finalObject[key.value] = value.value;
       }
     }

diff --git a/src/__tests__/record.test.ts b/src/__tests__/record.test.ts
@@ -133,3 +133,40 @@ test("key and value getters", () => {
   rec.valueSchema.parse(1234);
   rec.element.parse(1234);
 });
+
+test("is not vulnerable to prototype pollution", async () => {
+  const rec = z.record(
+    z.object({
+      a: z.string(),
+    })
+  );
+
+  const data = JSON.parse(`
+    {
+      "__proto__": {
+        "a": "evil"
+      },
+      "b": {
+        "a": "good"
+      }
+    }
+  `);
+
+  const obj1 = rec.parse(data);
+  expect(obj1.a).toBeUndefined();
+
+  const obj2 = rec.safeParse(data);
+  expect(obj2.success).toBe(true);
+  if (obj2.success) {
+    expect(obj2.data.a).toBeUndefined();
+  }
+
+  const obj3 = await rec.parseAsync(data);
+  expect(obj3.a).toBeUndefined();
+
+  const obj4 = await rec.safeParseAsync(data);
+  expect(obj4.success).toBe(true);
+  if (obj4.success) {
+    expect(obj4.data.a).toBeUndefined();
+  }
+});
diff --git a/src/helpers/parseUtil.ts b/src/helpers/parseUtil.ts
@@ -136,7 +136,10 @@ export class ParseStatus {
       if (key.status === "dirty") status.dirty();
       if (value.status === "dirty") status.dirty();
 
-      if (typeof value.value !== "undefined" || pair.alwaysSet) {
+      if (
+        key.value !== "__proto__" &&
+        (typeof value.value !== "undefined" || pair.alwaysSet)
+      ) {
         finalObject[key.value] = value.value;
       }
     }