From 97dd38e15b3848f7e869c1aafe9a097f0e45c8d4 Mon Sep 17 00:00:00 2001
From: Pete Bacon Darwin <pete@bacondarwin.com>
Date: Thu, 7 Nov 2019 08:50:53 +0000
Subject: [PATCH] fix(angular.merge): do not merge __proto__ property

By blocking `__proto__` on deep merging, this commit
prevents the `Object` prototype from being polluted.

Backport to XStatic-Angular - CVE-2019-10768
---
 xstatic/pkg/angular/data/angular.js | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/xstatic/pkg/angular/data/angular.js b/xstatic/pkg/angular/data/angular.js
index 54f6558..da8bdad 100644
--- a/xstatic/pkg/angular/data/angular.js
+++ b/xstatic/pkg/angular/data/angular.js
@@ -415,8 +415,10 @@ function baseExtend(dst, objs, deep) {
         } else if (isElement(src)) {
           dst[key] = src.clone();
         } else {
-          if (!isObject(dst[key])) dst[key] = isArray(src) ? [] : {};
-          baseExtend(dst[key], [src], true);
+          if (key !== '__proto__') {
+            if (!isObject(dst[key])) dst[key] = isArray(src) ? [] : {};
+            baseExtend(dst[key], [src], true);
+          }
         }
       } else {
         dst[key] = src;
-- 
2.37.2