Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Ignore __proto__ fields in deepMerge() #2779

Merged
merged 3 commits into from
Jun 4, 2019
Merged

Ignore __proto__ fields in deepMerge() #2779

merged 3 commits into from
Jun 4, 2019

Conversation

trevor-scheer
Copy link
Member

Purpose

The purpose of this PR is to resolve a security issue within @apollo/gateway. The deepMerge function is open to a known attack vector called prototype pollution. Prototype pollution allows a user to "pollute" Object.prototype, thereby polluting all Objects with Object.prototype in their prototype chain.

This function is currently only in use by the new @apollo/gateway.

Impact and resolution

Vulnerable versions of @apollo/gateway include all <=0.6.1. A release of version 0.6.2 will follow the merging of this PR shortly and resolve the issue.

@trevor-scheer trevor-scheer merged commit 69e4854 into master Jun 4, 2019
@trevor-scheer trevor-scheer deleted the trevor/deepmerge-ignore-proto branch June 4, 2019 23:24
abernix pushed a commit to apollographql/federation that referenced this pull request Sep 4, 2020
@trevor-scheer
Ignore __proto__ fields in deepMerge() (apollographql/apollo-server#2779
8f7ffe4 
)

This resolves a security issue within @apollo/gateway. The deepMerge
function is open to a known attack vector called prototype pollution.
Prototype pollution allows a user to "pollute" Object.prototype, thereby
polluting all Objects with Object.prototype in their prototype chain.

This function is currently only in use by @apollo/gateway.

Apollo-Orig-Commit-AS: apollographql/apollo-server@69e4854
excenter
excenter reviewed Aug 2, 2022
View reviewed changes
packages/apollo-gateway/src/utilities/deepMerge.ts
@@ -4,7 +4,7 @@ export function deepMerge(target: any, source: any): any {
if (source === undefined || source === null) return target;

for (const key of Object.keys(source)) {
if (source[key] === undefined) continue;
if (source[key] === undefined || key === '__proto__') continue;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Neat.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 16, 2023
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers

@excenter excenter excenter left review comments

@jbaxleyiii jbaxleyiii Awaiting requested review from jbaxleyiii

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@trevor-scheer @excenter