Fix prototype pollution vulnerability (#1828)

(cherry picked from commit e1ecdbf) Conflicts: lib/internal/iterator.js test/mapValues.js NOTE(mriedem): The conflicts are due to: - e475117 for iterator.js; resolution was trivial - bd86f42 for mapValues.js; resolution was just copying the test change into the old test file before it was moved This is a 2.x series backport for https://nvd.nist.gov/vuln/detail/CVE-2021-43138. Co-authored-by: Alexander Early <alexander.early@gmail.com>
caolan · Apr 13, 2022 · 8f7f903 · 8f7f903
1 parent f1d8383
commit 8f7f903
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/lib/internal/iterator.js b/lib/internal/iterator.js
@@ -27,6 +27,9 @@ function createObjectIterator(obj) {
     var len = okeys.length;
     return function next() {
         var key = okeys[++i];
+        if (key === '__proto__') {
+            return next();
+        }
         return i < len ? {value: obj[key], key: key} : null;
     };
 }

diff --git a/mocha_test/mapValues.js b/mocha_test/mapValues.js
@@ -39,6 +39,17 @@ describe('mapValues', function () {
                 done();
             });
         });
+
+        it('prototype pollution', (done) => {
+            var input = JSON.parse('{"a": 1, "b": 2, "__proto__": { "exploit": true }}');
+
+            async.mapValues(input, (val, key, next) => {
+                next(null, val)
+            }, (err, result) => {
+                expect(result.exploit).to.equal(undefined)
+                done(err);
+            })
+        })
     });
 
     context('mapValues', function () {