Merge pull request #367 from saulotoledo/fix-prototype-pollution-vuln…

…erability Fix prototype pollution vulnerabilities
typestack · Jul 20, 2020 · 15d6bdb · 15d6bdb
2 parents 94db7dc + 8f04eb9
commit 15d6bdb
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/src/TransformOperationExecutor.ts b/src/TransformOperationExecutor.ts
@@ -145,6 +145,10 @@ export class TransformOperationExecutor {
 
             // traverse over keys
             for (const key of keys) {
+                if (key === '__proto__' || key === 'constructor') {
+                    continue;
+                }
+
                 const valueKey = key;
                 let newValueKey = key, propertyName = key;
                 if (!this.options.ignoreDecorators && targetType) {

diff --git a/test/functional/basic-functionality.spec.ts b/test/functional/basic-functionality.spec.ts
@@ -1749,6 +1749,20 @@ describe("basic functionality", () => {
         expect(transformedClass).toBeInstanceOf(TestClass);
     });
 
+    it('should not pollute the prototype with a `__proto__` property',() => {
+        const object = JSON.parse('{"__proto__": { "admin": true }}');
+        const plainObject = {};
+        classToPlainFromExist(object, plainObject);
+        expect((plainObject as any).admin).toEqual(undefined);
+    });
+
+    it('should not pollute the prototype with a `constructor.prototype` property',  () => {
+        const object = JSON.parse('{"constructor": { "prototype": { "admin": true }}}');
+        const plainObject = {};
+        classToPlainFromExist(object, plainObject);
+        expect((plainObject as any).admin).toEqual(undefined);
+    });
+
     it("should default union types where the plain type is an array to an array result", () => {
         class User {
             name: string;