fix: Prototype Pollution Vulnerability Affecting redoc <=2.2.0

Lucas Akira Uehara · Lucas Akira Uehara · commit ca247fd9b3c5 · 2025-01-02T13:27:06.000-03:00
#2499
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/utils/__tests__/helpers.test.ts b/src/utils/__tests__/helpers.test.ts
@@ -71,6 +71,30 @@ describe('Utils', () => {
         const obj2 = { a: ['C'], b: ['D'] };
         expect(mergeObjects({}, obj1, obj2)).toEqual({ a: ['C'], b: ['D'] });
       });
+      test('should prevent prototype pollution', () => {
+        const target = {};
+        const source = JSON.parse('{"__proto__": {"polluted": "yes"}}');
+
+        mergeObjects(target, source);
+
+        expect(({} as any).polluted).toBeUndefined();
+      });
+      test('should merge objects correctly', () => {
+        const target = { a: 1 };
+        const source = { b: 2 };
+
+        const result = mergeObjects(target, source);
+
+        expect(result).toEqual({ a: 1, b: 2 });
+      });
+      test('should handle nested objects', () => {
+        const target = { a: { b: 1 } };
+        const source = { a: { c: 2 } };
+
+        const result = mergeObjects(target, source);
+
+        expect(result).toEqual({ a: { b: 1, c: 2 } });
+      });
     });
 
     describe('titleize', () => {
diff --git a/src/utils/helpers.ts b/src/utils/helpers.ts
@@ -81,7 +81,6 @@ export function appendToMdHeading(md: string, heading: string, content: string)
   }
 }
 
-// credits https://stackoverflow.com/a/46973278/1749888
 export const mergeObjects = (target: any, ...sources: any[]): any => {
   if (!sources.length) {
     return target;
@@ -93,13 +92,15 @@ export const mergeObjects = (target: any, ...sources: any[]): any => {
 
   if (isMergebleObject(target) && isMergebleObject(source)) {
     Object.keys(source).forEach((key: string) => {
-      if (isMergebleObject(source[key])) {
-        if (!target[key]) {
-          target[key] = {};
+      if (Object.prototype.hasOwnProperty.call(source, key) && key !== '__proto__') {
+        if (isMergebleObject(source[key])) {
+          if (!target[key]) {
+            target[key] = {};
+          }
+          mergeObjects(target[key], source[key]);
+        } else {
+          target[key] = source[key];
         }
-        mergeObjects(target[key], source[key]);
-      } else {
-        target[key] = source[key];
       }
     });
   }

Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,6 @@ export function appendToMdHeading(md: string, heading: string, content: string)`
`81`	`81`	`}`
`82`	`82`	`}`
`83`	`83`
`84`		`-// credits https://stackoverflow.com/a/46973278/1749888`
`85`	`84`	`export const mergeObjects = (target: any, ...sources: any[]): any => {`
`86`	`85`	`if (!sources.length) {`
`87`	`86`	`return target;`
`@@ -93,13 +92,15 @@ export const mergeObjects = (target: any, ...sources: any[]): any => {`
`93`	`92`
`94`	`93`	`if (isMergebleObject(target) && isMergebleObject(source)) {`
`95`	`94`	`Object.keys(source).forEach((key: string) => {`
`96`		`- if (isMergebleObject(source[key])) {`
`97`		`- if (!target[key]) {`
`98`		`- target[key] = {};`
	`95`	`+ if (Object.prototype.hasOwnProperty.call(source, key) && key !== '__proto__') {`
	`96`	`+ if (isMergebleObject(source[key])) {`
	`97`	`+ if (!target[key]) {`
	`98`	`+ target[key] = {};`
	`99`	`+ }`
	`100`	`+ mergeObjects(target[key], source[key]);`
	`101`	`+ } else {`
	`102`	`+ target[key] = source[key];`
`99`	`103`	`}`
`100`		`- mergeObjects(target[key], source[key]);`
`101`		`- } else {`
`102`		`- target[key] = source[key];`
`103`	`104`	`}`
`104`	`105`	`});`
`105`	`106`	`}`