Redocly/redoc
1
1
Fork 0
mirror of https://github.com/Redocly/redoc.git synced 2025-11-04 09:47:31 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix: Prototype Pollution Vulnerability Affecting redoc <=2.2.0 (#2638)

Browse Source 
https://github.com/Redocly/redoc/issues/2499

Co-authored-by: Lucas Akira Uehara <80917717@telefonicati.onmicrosoft.com>
This commit is contained in:
Lucas Akira Uehara 2025-01-28 18:28:26 -03:00 committed by GitHub
parent c765b34ef5
commit 153ec7a0b7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 32 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/utils/__tests__/helpers.test.ts
View File

@ -71,6 +71,30 @@ describe('Utils', () => {
const obj2 = { a: ['C'], b: ['D'] }; const obj2 = { a: ['C'], b: ['D'] };
expect(mergeObjects({}, obj1, obj2)).toEqual({ a: ['C'], b: ['D'] }); expect(mergeObjects({}, obj1, obj2)).toEqual({ a: ['C'], b: ['D'] });
}); });
test('should prevent prototype pollution', () => {
const target = {};
const source = JSON.parse('{"__proto__": {"polluted": "yes"}}');
mergeObjects(target, source);
expect(({} as any).polluted).toBeUndefined();
});
test('should merge objects correctly', () => {
const target = { a: 1 };
const source = { b: 2 };
const result = mergeObjects(target, source);
expect(result).toEqual({ a: 1, b: 2 });
});
test('should handle nested objects', () => {
const target = { a: { b: 1 } };
const source = { a: { c: 2 } };
const result = mergeObjects(target, source);
expect(result).toEqual({ a: { b: 1, c: 2 } });
});
}); });
describe('titleize', () => { describe('titleize', () => {

3
src/utils/helpers.ts
View File

@ -81,7 +81,6 @@ export function appendToMdHeading(md: string, heading: string, content: string)
} }
} }
// credits https://stackoverflow.com/a/46973278/1749888
export const mergeObjects = (target: any, ...sources: any[]): any => { export const mergeObjects = (target: any, ...sources: any[]): any => {
if (!sources.length) { if (!sources.length) {
return target; return target;
@ -93,6 +92,7 @@ export const mergeObjects = (target: any, ...sources: any[]): any => {
if (isMergebleObject(target) && isMergebleObject(source)) { if (isMergebleObject(target) && isMergebleObject(source)) {
Object.keys(source).forEach((key: string) => { Object.keys(source).forEach((key: string) => {
if (Object.prototype.hasOwnProperty.call(source, key) && key !== '__proto__') {
if (isMergebleObject(source[key])) { if (isMergebleObject(source[key])) {
if (!target[key]) { if (!target[key]) {
target[key] = {}; target[key] = {};
@ -101,6 +101,7 @@ export const mergeObjects = (target: any, ...sources: any[]): any => {
} else { } else {
target[key] = source[key]; target[key] = source[key];
} }
}
}); });
} }