JS: Proto pollution: Add is-plain-object sanitizer

2026-04-30 19:26:02 +02:00 · 2020-02-21 14:38:33 +00:00
parent ee5cf95f5b
commit d1df251b92
2 changed files with 32 additions and 1 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-400/PrototypePollutionUtility/tests.js
+++ b/javascript/ql/test/query-tests/Security/CWE-400/PrototypePollutionUtility/tests.js
@@ -462,3 +462,14 @@ function copyUsingUnderscoreOrLodash(dst, src) {
        }
    });
 }
+
+let isPlainObject = require('is-plain-object');
+function copyPlainObject(dst, src) {
+    for (let key in src) {
+        if (dst[key] && isPlainObject(src)) {
+            copyPlainObject(dst[key], src[key]);
+        } else {
+            dst[key] = src[key]; // OK
+        }
+    }
+}