fix: Prototype Pollution Vulnerability Affecting redoc <=2.2.0

#2499
Redocly · Jan 2, 2025 · ca247fd · ca247fd
1 parent 85b622f
commit ca247fd
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 33 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/utils/__tests__/helpers.test.ts b/src/utils/__tests__/helpers.test.ts
@@ -71,6 +71,30 @@ describe('Utils', () => {
         const obj2 = { a: ['C'], b: ['D'] };
         expect(mergeObjects({}, obj1, obj2)).toEqual({ a: ['C'], b: ['D'] });
       });
+      test('should prevent prototype pollution', () => {
+        const target = {};
+        const source = JSON.parse('{"__proto__": {"polluted": "yes"}}');
+
+        mergeObjects(target, source);
+
+        expect(({} as any).polluted).toBeUndefined();
+      });
+      test('should merge objects correctly', () => {
+        const target = { a: 1 };
+        const source = { b: 2 };
+
+        const result = mergeObjects(target, source);
+
+        expect(result).toEqual({ a: 1, b: 2 });
+      });
+      test('should handle nested objects', () => {
+        const target = { a: { b: 1 } };
+        const source = { a: { c: 2 } };
+
+        const result = mergeObjects(target, source);
+
+        expect(result).toEqual({ a: { b: 1, c: 2 } });
+      });
     });
 
     describe('titleize', () => {

diff --git a/src/utils/helpers.ts b/src/utils/helpers.ts
@@ -81,7 +81,6 @@ export function appendToMdHeading(md: string, heading: string, content: string)
   }
 }
 
-// credits https://stackoverflow.com/a/46973278/1749888
 export const mergeObjects = (target: any, ...sources: any[]): any => {
   if (!sources.length) {
     return target;
@@ -93,13 +92,15 @@ export const mergeObjects = (target: any, ...sources: any[]): any => {
 
   if (isMergebleObject(target) && isMergebleObject(source)) {
     Object.keys(source).forEach((key: string) => {
-      if (isMergebleObject(source[key])) {
-        if (!target[key]) {
-          target[key] = {};
+      if (Object.prototype.hasOwnProperty.call(source, key) && key !== '__proto__') {
+        if (isMergebleObject(source[key])) {
+          if (!target[key]) {
+            target[key] = {};
+          }
+          mergeObjects(target[key], source[key]);
+        } else {
+          target[key] = source[key];
         }
-        mergeObjects(target[key], source[key]);
-      } else {
-        target[key] = source[key];
       }
     });
   }