Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore __proto__ fields in deepMerge() #2779

Merged
merged 3 commits into from
Jun 4, 2019
Merged

Ignore __proto__ fields in deepMerge() #2779

merged 3 commits into from
Jun 4, 2019

Conversation

trevor-scheer
Copy link
Member

Purpose

The purpose of this PR is to resolve a security issue within @apollo/gateway. The deepMerge function is open to a known attack vector called prototype pollution. Prototype pollution allows a user to "pollute" Object.prototype, thereby polluting all Objects with Object.prototype in their prototype chain.

This function is currently only in use by the new @apollo/gateway.

Impact and resolution

Vulnerable versions of @apollo/gateway include all <=0.6.1. A release of version 0.6.2 will follow the merging of this PR shortly and resolve the issue.

@trevor-scheer trevor-scheer requested a review from jbaxleyiii June 4, 2019 23:14
@trevor-scheer trevor-scheer merged commit 69e4854 into master Jun 4, 2019
@trevor-scheer trevor-scheer deleted the trevor/deepmerge-ignore-proto branch June 4, 2019 23:24
abernix pushed a commit to apollographql/federation that referenced this pull request Sep 4, 2020
@trevor-scheer
Ignore __proto__ fields in deepMerge() (apollographql/apollo-server#2779
8f7ffe4 
)

This resolves a security issue within @apollo/gateway. The deepMerge
function is open to a known attack vector called prototype pollution.
Prototype pollution allows a user to "pollute" Object.prototype, thereby
polluting all Objects with Object.prototype in their prototype chain.

This function is currently only in use by @apollo/gateway.

Apollo-Orig-Commit-AS: apollographql/apollo-server@69e4854
excenter
excenter reviewed Aug 2, 2022
View reviewed changes
packages/apollo-gateway/src/utilities/deepMerge.ts
@@ -4,7 +4,7 @@ export function deepMerge(target: any, source: any): any {
if (source === undefined || source === null) return target;

for (const key of Object.keys(source)) {
if (source[key] === undefined) continue;
if (source[key] === undefined || key === '__proto__') continue;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Neat.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 16, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@excenter excenter excenter left review comments

@jbaxleyiii jbaxleyiii Awaiting requested review from jbaxleyiii

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@trevor-scheer @excenter