fix: Prototype Pollution Vulnerability Affecting redoc <=2.2.0 (#2638)

https://github.com/Redocly/redoc/issues/2499 Co-authored-by: Lucas Akira Uehara <80917717@telefonicati.onmicrosoft.com>
2025-04-19 16:22:05 +03:00 · 2025-01-28 18:28:26 -03:00 · 2025-01-28 18:28:26 -03:00 · 153ec7a0b7
commit 153ec7a0b7
parent c765b34ef5
2 changed files with 32 additions and 7 deletions
--- a/src/utils/tests/helpers.test.ts
+++ b/src/utils/tests/helpers.test.ts
@ -71,6 +71,30 @@ describe('Utils', () => {
        const obj2 = { a: ['C'], b: ['D'] };
        expect(mergeObjects({}, obj1, obj2)).toEqual({ a: ['C'], b: ['D'] });
      });
+      test('should prevent prototype pollution', () => {
+        const target = {};
+        const source = JSON.parse('{"__proto__": {"polluted": "yes"}}');
+
+        mergeObjects(target, source);
+
+        expect(({} as any).polluted).toBeUndefined();
+      });
+      test('should merge objects correctly', () => {
+        const target = { a: 1 };
+        const source = { b: 2 };
+
+        const result = mergeObjects(target, source);
+
+        expect(result).toEqual({ a: 1, b: 2 });
+      });
+      test('should handle nested objects', () => {
+        const target = { a: { b: 1 } };
+        const source = { a: { c: 2 } };
+
+        const result = mergeObjects(target, source);
+
+        expect(result).toEqual({ a: { b: 1, c: 2 } });
+      });
    });

    describe('titleize', () => {
--- a/src/utils/helpers.ts
+++ b/src/utils/helpers.ts
@ -81,7 +81,6 @@ export function appendToMdHeading(md: string, heading: string, content: string)
  }
 }

-// credits https://stackoverflow.com/a/46973278/1749888
 export const mergeObjects = (target: any, ...sources: any[]): any => {
  if (!sources.length) {
    return target;
@ -93,13 +92,15 @@ export const mergeObjects = (target: any, ...sources: any[]): any => {

  if (isMergebleObject(target) && isMergebleObject(source)) {
    Object.keys(source).forEach((key: string) => {
-      if (isMergebleObject(source[key])) {
-        if (!target[key]) {
-          target[key] = {};
+      if (Object.prototype.hasOwnProperty.call(source, key) && key !== '__proto__') {
+        if (isMergebleObject(source[key])) {
+          if (!target[key]) {
+            target[key] = {};
+          }
+          mergeObjects(target[key], source[key]);
+        } else {
+          target[key] = source[key];
        }
-        mergeObjects(target[key], source[key]);
-      } else {
-        target[key] = source[key];
      }
    });
  }