From 62c26936b3adee9c20255dcd9f8ee5c299b464a9 Mon Sep 17 00:00:00 2001
From: Hryhorii Hrebiniuk <hhrebiniuk@oroinc.com>
Date: Fri, 24 Dec 2021 17:40:19 +0200
Subject: [PATCH] BAP-21092: JavaScript Prototype Pollution (#31464)

---
 src/Oro/Bundle/UIBundle/Resources/public/js/tools.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/Oro/Bundle/UIBundle/Resources/public/js/tools.js b/src/Oro/Bundle/UIBundle/Resources/public/js/tools.js
index ededa96a81a..93096aa748c 100644
--- a/src/Oro/Bundle/UIBundle/Resources/public/js/tools.js
+++ b/src/Oro/Bundle/UIBundle/Resources/public/js/tools.js
@@ -85,6 +85,10 @@ define(function(require) {
                 query = query.slice(1);
             }
             const setValue = function(root, path, value) {
+                if (path[0] === '__proto__') {
+                    // Prevent Object.prototype pollution
+                    return;
+                }
                 if (path.length > 1) {
                     const dir = path.shift();
                     if (typeof root[dir] === 'undefined') {