prototype pollution prevention (#1394)

* prototype pollution prevention

* update base branch

* update ubuntu version

Author: waltjones

.github/workflows/ci.yml

@@ -2,14 +2,14 @@ name: Rollbar.js CI
 
 on:
   push:
-    branches: [master]
+    branches: [next/2.x/main]
     tags: [v*]
   pull_request:
-    branches: [master]
+    branches: [next/2.x/main]
 
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
 
     strategy:
       matrix:

src/merge.js

@@ -34,7 +34,7 @@ function merge() {
     copy,
     clone,
     name,
-    result = {},
+    result = Object.create(null), // no prototype pollution on Object
     current = null,
     length = arguments.length;
 

src/utility.js

@@ -660,6 +660,10 @@ function set(obj, path, value) {
   if (!obj) {
     return;
   }
+
+  // Prevent prototype pollution by setting the prototype to null.
+  Object.setPrototypeOf(obj, null);
+
   var keys = path.split('.');
   var len = keys.length;
   if (len < 1) {

test/utility.test.js

@@ -446,6 +446,13 @@ describe('merge', function () {
     expect(e.amihere).to.eql('yes');
     done();
   });
+  it('should be secure against prototype pollution', function () {
+    const o1 = JSON.parse('{"__proto__": {"polluted": "yes"}}');
+    const o2 = JSON.parse('{"__proto__": {"polluted": "yes"}}');
+    const result = _.merge(o1, o2);
+    expect({}.polluted).to.not.eql('yes');
+    expect(result.polluted).to.not.eql('yes');
+  });
 });
 
 var traverse = require('../src/utility/traverse');
@@ -765,6 +772,12 @@ describe('set', function () {
     expect(o.foo.bar.buzz).to.eql(97);
     expect(o.foo.bar.baz.fizz).to.eql(1);
   });
+  it('should be secure against prototype pollution', function () {
+    const o = {};
+    _.set(o, '__proto__.polluted', 'yes');
+    expect({}.polluted).to.not.eql('yes');
+    expect(o.polluted).to.not.eql('yes');
+  });
 });
 
 var scrub = require('../src/scrub');