fix(security): fixed formToJSON prototype pollution vulnerability; (#6167)

2026-06-08 17:22:34 +03:00 · 2024-01-03 21:37:32 +02:00
parent 75af1cdff5
commit 3c0c11cade
2 changed files with 24 additions and 0 deletions
@@ -47,4 +47,25 @@ describe('formDataToJSON', function () {
      foo: ['1', '2']
    });
  });
+
+  it('should resist prototype pollution CVE', () => {
+    const formData = new FormData();
+
+    formData.append('foo[0]', '1');
+    formData.append('foo[1]', '2');
+    formData.append('__proto__.x', 'hack');
+    formData.append('constructor.prototype.y', 'value');
+
+    expect(formDataToJSON(formData)).toEqual({
+      foo: ['1', '2'],
+      constructor: {
+        prototype: {
+          y: 'value'
+        }
+      }
+    });
+
+    expect({}.x).toEqual(undefined);
+    expect({}.y).toEqual(undefined);
+  });
 });