Fix object pollution vulnerability in math.config

2026-01-18 14:59:29 +00:00 · 2020-10-10 10:24:48 +02:00 · 2020-10-10 10:24:48 +02:00 · ecb80514e8
commit ecb80514e8
parent a2858e266a
4 changed files with 44 additions and 1 deletions
--- a/HISTORY.md
+++ b/HISTORY.md
@ -1,5 +1,10 @@
 # History

+# not yet published, version 7.5.1
+
+- Fix object pollution vulnerability in `math.config`. Thanks Snyk.
+
+
 # 2020-10-07, version 7.5.0

 - Function `pickRandom` now allows randomly picking elements from matrices 
--- a/src/utils/object.js
+++ b/src/utils/object.js
@ -86,7 +86,9 @@ export function deepExtend (a, b) {
  }

  for (const prop in b) {
-    if (hasOwnProperty(b, prop)) {
+    // We check against prop not being in Object.prototype or Function.prototype
+    // to prevent polluting for example Object.__proto__.
+    if (hasOwnProperty(b, prop) && !(prop in Object.prototype) && !(prop in Function.prototype)) {
      if (b[prop] && b[prop].constructor === Object) {
        if (a[prop] === undefined) {
          a[prop] = {}
--- a/test/unit-tests/expression/security.test.js
+++ b/test/unit-tests/expression/security.test.js
@ -390,6 +390,34 @@ describe('security', function () {
    assert.strictEqual(math.expression.mathWithTransform.chain, undefined)
    assert.deepStrictEqual(math.evaluate('chain'), math.unit('chain'))
  })
+
+  it('should not allow polluting the Object prototype via config', () => {
+    const obj = {}
+    assert.strictEqual(obj.polluted, undefined)
+
+    // change the configuration
+    const newConfig = JSON.parse('{"__proto__":{"polluted":"yes"}}')
+    math.config(newConfig)
+    assert.strictEqual(obj.polluted, undefined)
+  })
+
+  it('should not allow polluting the Object prototype via config via the expression parser', () => {
+    const obj = {}
+    assert.strictEqual(obj.polluted, undefined)
+
+    // change the configuration
+    math.evaluate('config({"__proto__":{"polluted":"yes"}})')
+    assert.strictEqual(obj.polluted, undefined)
+  })
+
+  it('should not allow polluting the Object prototype by creating an object in the expression parser', () => {
+    const obj = {}
+    assert.strictEqual(obj.polluted, undefined)
+
+    // change the configuration
+    math.evaluate('a = {"__proto__":{"polluted":"yes"}}')
+    assert.strictEqual(obj.polluted, undefined)
+  })
 })

 function isPlainObject (object) {
--- a/test/unit-tests/utils/object.test.js
+++ b/test/unit-tests/utils/object.test.js
@ -141,6 +141,14 @@ describe('object', function () {

      delete Object.prototype.foo
    })
+
+    it('should not pollute Object.__proto__', function () {
+      const obj = {}
+      assert.strictEqual(obj.polluted, undefined)
+
+      deepExtend(obj, JSON.parse('{"__proto__":{"polluted":"yes"}}'))
+      assert.strictEqual(obj.polluted, undefined)
+    })
  })

  describe('deepEqual', function () {