Blob Blame History Raw
From 25661e4fc0e7c6a3d47bc189f886af76b1ecafa1 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 9 Dec 2021 13:01:08 +0100
Subject: [PATCH] deps(json-schema): protect against prototype pollution

Amalgamation of the following upstream patches:
https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741
https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a
https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa

Fixes: CVE-2021-3918
Signed-off-by: rpm-build <rpm-build>
---
 .../node_modules/json-schema/lib/validate.js  |  4 +--
 .../node_modules/json-schema/test/tests.js    | 28 ++++++++++++++++++-
 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/deps/npm/node_modules/json-schema/lib/validate.js b/deps/npm/node_modules/json-schema/lib/validate.js
index 4b61088..d05ee86 100644
--- a/deps/npm/node_modules/json-schema/lib/validate.js
+++ b/deps/npm/node_modules/json-schema/lib/validate.js
@@ -209,8 +209,8 @@ var validate = exports._validate = function(/*Any*/instance,/*Object*/schema,/*O
 			}
 
 			for(var i in objTypeDef){
-				if(objTypeDef.hasOwnProperty(i)){
-					var value = instance[i];
+				if(objTypeDef.hasOwnProperty(i) && i != '__proto__' && i != 'constructor'){
+					var value = instance.hasOwnProperty(i) ? instance[i] : undefined;
 					// skip _not_ specified properties
 					if (value === undefined && options.existingOnly) continue;
 					var propDef = objTypeDef[i];
diff --git a/deps/npm/node_modules/json-schema/test/tests.js b/deps/npm/node_modules/json-schema/test/tests.js
index 40eeda5..70f515a 100644
--- a/deps/npm/node_modules/json-schema/test/tests.js
+++ b/deps/npm/node_modules/json-schema/test/tests.js
@@ -91,5 +91,31 @@ var suite = vows.describe('JSON Schema').addBatch({
 
     'Json-Ref self-validates': assertSelfValidates('json-ref'),
     'Json-Ref/Hyper': assertValidates('json-ref', 'hyper-schema'),
-    'Json-Ref/Core': assertValidates('json-ref', 'schema')
+    'Json-Ref/Core': assertValidates('json-ref', 'schema'),
+    prototypePollution: function() {
+        console.log('testing')
+        const instance = JSON.parse(`
+        {
+        "$schema":{
+            "type": "object",
+            "properties":{
+            "__proto__": {
+                "type": "object",
+                
+                "properties":{
+                "polluted": {
+                    "type": "string",
+                    "default": "polluted"
+                }
+                }
+            }
+            },
+            "__proto__": {}
+        }
+        }`);
+                                            
+        const a = {};
+        validate(instance);
+        assert.equal(a.polluted, undefined);
+    }
 }).export(module);
-- 
2.33.1