fix: security Fix for Prototype Pollution - huntr.dev (#1088)

* [Tests] fix test suite

* [Fix] `setLocale`: do not allow prototype pollution

Co-authored-by: Jordan Harband <ljharb@gmail.com>
Co-authored-by: Jamie Slome <jamie@418sec.com>

package.json

@@ -96,7 +96,8 @@
     "rollup-plugin-node-resolve": "^5.2.0",
     "rollup-plugin-size-snapshot": "^0.12.0",
     "sinon": "^9.2.0",
-    "sinon-chai": "^3.5.0"
+    "sinon-chai": "^3.5.0",
+    "synchronous-promise": "^2.0.15"
   },
   "dependencies": {
     "@babel/runtime": "^7.10.5",

src/locale.js

@@ -63,12 +63,12 @@ export let array = {
   max: '${path} field must have less than or equal to ${max} items',
 };
 
-export default {
+export default Object.assign(Object.create(null), {
   mixed,
   string,
   number,
   date,
   object,
   array,
   boolean,
-};
+});

test/object.js

@@ -153,7 +153,7 @@ describe('Object types', () => {
       err.message.should.match(/must be a `string` type/);
     });
 
-    it.only('should respect child schema with strict()', async () => {
+    it('should respect child schema with strict()', async () => {
       inst = object({
         field: number().strict(),
       });

test/setLocale.js

@@ -23,4 +23,20 @@ describe('Custom locale', () => {
     const locale = require('../src/locale').default;
     expect(locale.string.email).to.equal('Invalid email');
   });
+
+  it('should not allow prototype pollution', () => {
+    const payload = JSON.parse('{"__proto__":{"polluted":"Yes! Its Polluted"}}');
+
+    expect(() => setLocale(payload)).to.throw();
+
+    expect(payload).not.to.have.property('polluted');
+  });
+
+  it('should not pollute Object.prototype builtins', () => {
+    const payload = { toString: { polluted: 'oh no' } };
+
+    expect(() => setLocale(payload)).to.throw();
+
+    expect(Object.prototype.toString).not.to.have.property('polluted');
+  });
 });