Skip to content

guard mergeObjects against prototype-polluting keys#40516

Open
digi-scrypt wants to merge 1 commit into
ampproject:mainfrom
digi-scrypt:analytics-merge-proto-guard
Open

guard mergeObjects against prototype-polluting keys#40516
digi-scrypt wants to merge 1 commit into
ampproject:mainfrom
digi-scrypt:analytics-merge-proto-guard

Conversation

@digi-scrypt

Copy link
Copy Markdown

mergeObjects merges fetched/inline analytics config into a plain object and recurses into the destination when both sides are objects.

  • a remote config response with a __proto__ key walks the recursion onto Object.prototype and writes nested keys there, so {}.whatever is polluted page-wide
  • mergeObjects(this.remoteConfig_, config) in processConfigs_ feeds the fetched JSON straight in, so the source is whatever the analytics endpoint returns
  • what happens if a vendor or a compromised endpoint returns {"__proto__": {"...": ...}}? right now every object on the page inherits it
    Skipping __proto__/constructor/prototype in the loop, same shape storage-impl already uses for its keys.

@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.


digi-scrypt seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants