File tree 2 files changed +29
-1
lines changed
2 files changed +29
-1
lines changed Original file line number Diff line number Diff line change @@ -66,7 +66,17 @@ var Logger = function(config) {
6666 config = config || { } ;
6767
6868 this . _mute = false ;
69- this . config = _ . merge ( { } , defaults , config ) ;
69+ var safeConfig = { } ;
70+ for ( var attr in config ) {
71+ if ( ! config . hasOwnProperty ( attr ) ) {
72+ continue ;
73+ }
74+ if ( attr === "__proto__" || attr === "constructor" || attr === "prototype" ) {
75+ continue ;
76+ }
77+ safeConfig [ attr ] = config [ attr ] ;
78+ }
79+ this . config = _ . merge ( { } , defaults , safeConfig ) ;
7080 this . addLevelMethods ( this . config . levels ) ;
7181 this . _memo = { } ;
7282
Original file line number Diff line number Diff line change @@ -308,4 +308,22 @@ describe("Logging", function(){
308308
309309 assert . equal ( actual , expected ) ;
310310 } ) ;
311+
312+ it ( "should handle prototype pollution attempts safely" , function ( ) {
313+ const lib = easyLogger ;
314+ console . log ( "Before Attack: " , JSON . stringify ( Object . getPrototypeOf ( { } ) ) ) ;
315+
316+ try {
317+ // for multiple functions, uncomment only one for each execution.
318+ lib . Logger ( JSON . parse ( "{\"__proto__\":{\"pollutedKey\":123}}" ) ) ;
319+ } catch ( e ) {
320+ }
321+
322+ console . log ( "After Attack: " , JSON . stringify ( Object . getPrototypeOf ( { } ) ) ) ;
323+
324+ assert . notProperty ( Object . prototype , "pollutedKey" , "Prototype pollution occurred" ) ;
325+
326+ // Cleanup if any property was added
327+ delete Object . prototype . pollutedKey ;
328+ } ) ;
311329} ) ;
You can’t perform that action at this time.
0 commit comments