fix(angular.merge): do not merge __proto__ property

By blocking `__proto__` on deep merging, this commit
prevents the `Object` prototype from being polluted.
This commit is contained in:
Pete Bacon Darwin
2019-11-07 08:50:53 +00:00
parent 33b5c5067e
commit e242e9b595
2 changed files with 17 additions and 2 deletions
+4 -2
View File
@@ -386,8 +386,10 @@ function baseExtend(dst, objs, deep) {
} else if (isElement(src)) {
dst[key] = src.clone();
} else {
if (!isObject(dst[key])) dst[key] = isArray(src) ? [] : {};
baseExtend(dst[key], [src], true);
if (key !== '__proto__') {
if (!isObject(dst[key])) dst[key] = isArray(src) ? [] : {};
baseExtend(dst[key], [src], true);
}
}
} else {
dst[key] = src;
+13
View File
@@ -811,6 +811,19 @@ describe('angular', function() {
expect(isElement(dst.jqObject)).toBeTruthy();
expect(dst.jqObject.nodeName).toBeUndefined(); // i.e it is a jqLite/jQuery object
});
it('should not merge the __proto__ property', function() {
var src = JSON.parse('{ "__proto__": { "xxx": "polluted" } }');
var dst = {};
merge(dst, src);
if (typeof dst.__proto__ !== 'undefined') { // eslint-disable-line
// Should not overwrite the __proto__ property or pollute the Object prototype
expect(dst.__proto__).toBe(Object.prototype); // eslint-disable-line
}
expect(({}).xxx).toBeUndefined();
});
});