I have a line of code that looks like
gMapping[userName] = gMapping[userName] || [];
I see Prototype pollution vulnerability raised by Snyk. How can this be resolved?
Relevant code:
const gMapping: { [user_name: string]: string[] } = {};
// Map records to dictionaries
dbRecs.forEach(rec => {
const userName = rec.user_name;
const groupId = rec.group_id;
gMapping[userName] = gMapping[userName] || [];
gMapping[userName].push(groupId);
}
});
The problem is that userName
could be "__proto__"
. I'm not certain this would be exploitable in your case, but it still causes an exception when trying to invoke .push()
on Object.prototype
.
To avoid this issue , either use Object.create(null)
(which isn't easy with TypeScript , unfortunately) or switch to a proper ES6 Map<string, string[]>
.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.