Merge pull request #384 from 418sec/1-npm-convict

Security Fix for Prototype Pollution - huntr.dev
mozilla · Mar 10, 2021 · dc17a2e · dc17a2e
2 parents 95f4ab3 + 180d692
commit dc17a2e
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/packages/convict/src/main.js b/packages/convict/src/main.js
@@ -561,8 +561,10 @@ const convict = function convict(def, opts) {
       const path = k.split('.')
       const childKey = path.pop()
       const parentKey = path.join('.')
-      const parent = walk(this._instance, parentKey, true)
-      parent[childKey] = v
+      if (!(parentKey == '__proto__' || parentKey == 'constructor' || parentKey == 'prototype')) {
+        const parent = walk(this._instance, parentKey, true)
+        parent[childKey] = v 
+      }
       return this
     },