From aa9e5b9ef1262250630985aa5667819a4f8c4e4d Mon Sep 17 00:00:00 2001 From: ChenKS12138 <749923710@qq.com> Date: Tue, 24 Nov 2020 21:19:02 +0800 Subject: [PATCH] Fix prototype pollution security issue. fixes #1331 --- CHANGELOG.md | 4 ++++ nunjucks/src/runtime.js | 2 +- tests/runtime.js | 16 ++++++++++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ad9fed8d..bae08dba 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,10 @@ Unreleased * Add `base` arg to [`int` filter](https://mozilla.github.io/nunjucks/templating.html#int). * Move `chokidar` to `peerDependencies` and mark it `optional` in `peerDependenciesMeta`. +* Fix prototype pollution issue for template variables. Merge of + [#1330](https://github.com/mozilla/nunjucks/pull/1330); fixes + [#1331](https://github.com/mozilla/nunjucks/issues/1331). Thanks + [ChenKS12138](https://github.com/ChenKS12138)! 3.2.2 (Jul 20 2020) ------------------- diff --git a/nunjucks/src/runtime.js b/nunjucks/src/runtime.js index d57c741e..4d1cb4bf 100644 --- a/nunjucks/src/runtime.js +++ b/nunjucks/src/runtime.js @@ -12,7 +12,7 @@ var supportsIterators = ( // variables, for example. class Frame { constructor(parent, isolateWrites) { - this.variables = {}; + this.variables = Object.create(null); this.parent = parent; this.topLevel = false; // if this is true, writes (set) should never propagate upwards past diff --git a/tests/runtime.js b/tests/runtime.js index 4b104f6b..1a799ba0 100644 --- a/tests/runtime.js +++ b/tests/runtime.js @@ -110,5 +110,21 @@ finish(done); }); + + it('should not read variables property from Object.prototype', function(done) { + var payload = 'function(){ return 1+2; }()'; + var data = {}; + Object.getPrototypeOf(data).payload = payload; + + render('{{ payload }}', data, { + noThrow: true + }, function(err, res) { + expect(err).to.equal(null); + expect(res).to.equal(payload); + }); + delete Object.getPrototypeOf(data).payload; + + finish(done); + }); }); }());