fix(extend): remove prototype pollution (#554)

amzn · Mar 6, 2021 · b99710a · b99710a
1 parent 9b5cfad
commit b99710a
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/__tests__/extend.test.js b/__tests__/extend.test.js
@@ -245,4 +245,13 @@ describe('extend', () => {
     expect(StyleDictionary3.foo).toBe('boo');
     expect(StyleDictionary).not.toHaveProperty('foo');
   });
+
+  it(`should not pollute the prototype`, () => {
+    const obj = {};
+    let opts = JSON.parse('{"__proto__":{"polluted":"yes"}}');
+    console.log("Before : " + obj.polluted);
+    StyleDictionary.extend(opts);
+    console.log("After : " + obj.polluted);
+    expect(obj.polluted).toBeUndefined();
+  });
 });
diff --git a/lib/utils/deepExtend.js b/lib/utils/deepExtend.js
@@ -44,6 +44,8 @@ function deepExtend(objects, collision, path) {
       for (name in options) {
         if (!options.hasOwnProperty(name))
           continue;
+        if (name === '__proto__')
+          continue;
 
         src = target[name];
         copy = options[name];