fix: mergeDeep avoid prototype pollution

ArtalkJS · Dec 26, 2023 · 4cc7618 · 4cc7618
1 parent 9b03736
commit 4cc7618
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 2 deletions.
diff --git a/ui/artalk/src/context.ts b/ui/artalk/src/context.ts
@@ -30,7 +30,7 @@ class Context implements ContextApi {
   public constructor(conf: ArtalkConfig) {
     this.conf = conf
 
-    this.$root = (conf.el instanceof Element) ? conf.el : document.createElement('div')
+    this.$root = conf.el as HTMLElement
     this.$root.classList.add('artalk')
     this.$root.innerHTML = ''
 

diff --git a/ui/artalk/src/lib/merge-deep.test.ts b/ui/artalk/src/lib/merge-deep.test.ts
@@ -43,3 +43,23 @@ describe('Prevent in-place modify: mergeDeep(a, b)', () => {
     expect(b).toEqual({ a: 1, arr: [1, 2, 3] })
   })
 })
+
+describe('Merge special types', () => {
+  const testItem = (name: string, val: any) => {
+    it(name, () => {
+      expect(mergeDeep({ a: val }, { b: val })).toEqual({ a: val, b: val })
+    })
+  }
+
+  const dom = document.createElement('div')
+  testItem('should can keep dom, not deep recursion', dom)
+
+  const fn = () => {}
+  testItem('should can keep function', fn)
+
+  const date = new Date()
+  testItem('should can keep date', date)
+
+  const reg = /abc/
+  testItem('should can keep regex', reg)
+})
diff --git a/ui/artalk/src/lib/merge-deep.ts b/ui/artalk/src/lib/merge-deep.ts
@@ -6,10 +6,15 @@
  * @returns New object with merged key/values
  */
 export function mergeDeep<T>(...objects: any[]): T {
-  const isObject = (obj: any) => obj && typeof obj === "object";
+  const isObject = (obj: any) => obj && typeof obj === "object" && obj.constructor === Object;
 
   return objects.reduce((prev, obj) => {
     Object.keys(obj ?? {}).forEach((key) => {
+      // Avoid prototype pollution
+      if (key === "__proto__" || key === "constructor" || key === "prototype") {
+        return
+      }
+
       const pVal = prev[key]
       const oVal = obj[key]
 

diff --git a/ui/artalk/tests/ui-api.test.ts b/ui/artalk/tests/ui-api.test.ts
@@ -117,6 +117,17 @@ describe('Artalk instance', () => {
     expect(conf.gravatar, "the gravatar which not in update should keep the same").toEqual(RemoteConf.gravatar)
   })
 
+  it('should can getEl after config updated (artalk.getEl)', () => {
+    const target = document.getElementById(ContainerID)
+    expect(target).not.toBe(null)
+
+    const el = artalk.getEl()
+    expect(el).toBe(target)
+
+    const el2 = artalk.getConf().el
+    expect(el2).toBe(target)
+  })
+
   it('should can set dark mode (artalk.setDarkMode)', () => {
     const el = artalk.getEl()
     expect(artalk.getConf().darkMode).toBe(true)