Fix Prototype Pollution vulnerability (CVE-2023-26102) by applying changes from timdown#482

Sergei Tomin · Sergei Tomin · commit 8e6bdbd1d161 · 2023-11-02T11:49:45.000+01:00
diff --git a/README.md b/README.md
@@ -1,3 +1,5 @@
+### This fork includes PR with a vulnerability fix (https://github.com/timdown/rangy/pull/482)
+
 Rangy
 =====
 
diff --git a/lib/rangy-core.js b/lib/rangy-core.js
@@ -158,6 +158,9 @@
         util.extend = extend = function(obj, props, deep) {
             var o, p;
             for (var i in props) {
+                if (i === "__proto__" || i === "constructor" || i === "prototype") {
+                    continue;
+                }
                 if (props.hasOwnProperty(i)) {
                     o = obj[i];
                     p = props[i];
@@ -3862,7 +3865,7 @@
             win = null;
         });
     });
-    
+
 
     /*----------------------------------------------------------------------------------------------------------------*/
 
@@ -3893,4 +3896,4 @@
     }
 
     return api;
-}, this);
+}, this);
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
     "name": "rangy",
     "description": "A cross-browser DOM range and selection library",
-    "version": "1.3.1",
+    "version": "1.3.2",
     "author": {
         "name": "Tim Down",
         "email": "tim@timdown.co.uk",
@@ -33,4 +33,4 @@
         "jshint": "^2.13.5",
         "archiver": "^5.3.1"
     }
-}
+}
diff --git a/src/core/core.js b/src/core/core.js
@@ -159,6 +159,9 @@
         util.extend = extend = function(obj, props, deep) {
             var o, p;
             for (var i in props) {
+                if (i === "__proto__" || i === "constructor" || i === "prototype") {
+                    continue;
+                }
                 if (props.hasOwnProperty(i)) {
                     o = obj[i];
                     p = props[i];
@@ -511,4 +514,4 @@
     }
 
     return api;
-}, this);
+}, this);

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+### This fork includes PR with a vulnerability fix (https://github.com/timdown/rangy/pull/482)`
	`2`	`+`
`1`	`3`	`Rangy`
`2`	`4`	`=====`
`3`	`5`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "rangy",`
`3`	`3`	`"description": "A cross-browser DOM range and selection library",`
`4`		`- "version": "1.3.1",`
	`4`	`+ "version": "1.3.2",`
`5`	`5`	`"author": {`
`6`	`6`	`"name": "Tim Down",`
`7`	`7`	`"email": "tim@timdown.co.uk",`
`@@ -33,4 +33,4 @@`
`33`	`33`	`"jshint": "^2.13.5",`
`34`	`34`	`"archiver": "^5.3.1"`
`35`	`35`	`}`
`36`		`-}`
	`36`	`+}`