fix: Fixed a prototype pollution bug reported by @kevin_mizu

cure53 · Jan 5, 2023 · d1dd037 · d1dd037
1 parent 24d2a7f
commit d1dd037
Show file tree

Hide file tree

Showing 10 changed files with 23 additions and 13 deletions.
diff --git a/dist/purify.cjs.js b/dist/purify.cjs.js
diff --git a/dist/purify.cjs.js.map b/dist/purify.cjs.js.map
diff --git a/dist/purify.es.js b/dist/purify.es.js
diff --git a/dist/purify.es.js.map b/dist/purify.es.js.map
diff --git a/dist/purify.js b/dist/purify.js
diff --git a/dist/purify.js.map b/dist/purify.js.map
diff --git a/dist/purify.min.js b/dist/purify.min.js
diff --git a/dist/purify.min.js.map b/dist/purify.min.js.map
diff --git a/src/utils.js b/src/utils.js
@@ -95,7 +95,7 @@ export function clone(object) {
 
   let property;
   for (property in object) {
-    if (apply(hasOwnProperty, object, [property])) {
+    if (apply(hasOwnProperty, object, [property]) === true) {
       newObject[property] = object[property];
     }
   }

diff --git a/test/test-suite.js b/test/test-suite.js
@@ -1687,7 +1687,7 @@
       }
     );
     QUnit.test(
-      'Test protection from prototype pollution attacks',
+      'Test protection from prototype pollution attacks 1/2',
       function (assert) {
         const obj = JSON.parse(
           '{"ALLOWED_ATTR":["onerror","src"], "documentMode":9}'
@@ -1701,6 +1701,16 @@
         assert.equal(clean, '<img src="x">');
       }
     );
+    QUnit.test(
+      'Test protection from prototype pollution attacks 2/2',
+      function (assert) {
+        var obj = {};
+        obj.__proto__.hasOwnProperty = Object;
+        obj.constructor.prototype.ALLOWED_ATTR = ["src", "onerror"];
+        var clean = DOMPurify.sanitize('<img src=x onerror=alert(1)>');
+        assert.equal(clean, '<img src="x">');
+      }
+    );
     QUnit.test('Test if namespaces are properly enforced', function (assert) {
       var tests = [
         {