From 97dd38e15b3848f7e869c1aafe9a097f0e45c8d4 Mon Sep 17 00:00:00 2001
From: Pete Bacon Darwin <pete@bacondarwin.com>
Date: Thu, 7 Nov 2019 08:50:53 +0000
Subject: [PATCH] fix(angular.merge): do not merge __proto__ property
By blocking `__proto__` on deep merging, this commit
prevents the `Object` prototype from being polluted.
Backport to XStatic-Angular - CVE-2019-10768
---
xstatic/pkg/angular/data/angular.js | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/xstatic/pkg/angular/data/angular.js b/xstatic/pkg/angular/data/angular.js
index 54f6558..da8bdad 100644
--- a/xstatic/pkg/angular/data/angular.js
+++ b/xstatic/pkg/angular/data/angular.js
@@ -415,8 +415,10 @@ function baseExtend(dst, objs, deep) {
} else if (isElement(src)) {
dst[key] = src.clone();
} else {
- if (!isObject(dst[key])) dst[key] = isArray(src) ? [] : {};
- baseExtend(dst[key], [src], true);
+ if (key !== '__proto__') {
+ if (!isObject(dst[key])) dst[key] = isArray(src) ? [] : {};
+ baseExtend(dst[key], [src], true);
+ }
}
} else {
dst[key] = src;
--
2.37.2