fix(angular.merge): do not merge __proto__ property
By blocking `__proto__` on deep merging, this commit prevents the `Object` prototype from being polluted.
This commit is contained in:
+4
-2
@@ -386,8 +386,10 @@ function baseExtend(dst, objs, deep) {
|
||||
} else if (isElement(src)) {
|
||||
dst[key] = src.clone();
|
||||
} else {
|
||||
if (!isObject(dst[key])) dst[key] = isArray(src) ? [] : {};
|
||||
baseExtend(dst[key], [src], true);
|
||||
if (key !== '__proto__') {
|
||||
if (!isObject(dst[key])) dst[key] = isArray(src) ? [] : {};
|
||||
baseExtend(dst[key], [src], true);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
dst[key] = src;
|
||||
|
||||
@@ -811,6 +811,19 @@ describe('angular', function() {
|
||||
expect(isElement(dst.jqObject)).toBeTruthy();
|
||||
expect(dst.jqObject.nodeName).toBeUndefined(); // i.e it is a jqLite/jQuery object
|
||||
});
|
||||
|
||||
it('should not merge the __proto__ property', function() {
|
||||
var src = JSON.parse('{ "__proto__": { "xxx": "polluted" } }');
|
||||
var dst = {};
|
||||
|
||||
merge(dst, src);
|
||||
|
||||
if (typeof dst.__proto__ !== 'undefined') { // eslint-disable-line
|
||||
// Should not overwrite the __proto__ property or pollute the Object prototype
|
||||
expect(dst.__proto__).toBe(Object.prototype); // eslint-disable-line
|
||||
}
|
||||
expect(({}).xxx).toBeUndefined();
|
||||
});
|
||||
});
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user