How can I change this the object property assignment to avoid prototype pollution
Question
I have a line of code that looks like
gMapping[userName] = gMapping[userName] || [];
I see Prototype pollution vulnerability raised by Snyk. How can this be resolved?
Relevant code:
const gMapping: { [user_name: string]: string[] } = {};
// Map records to dictionaries
dbRecs.forEach(rec => {
const userName = rec.user_name;
const groupId = rec.group_id;
gMapping[userName] = gMapping[userName] || [];
gMapping[userName].push(groupId);
}
});
1 answers
solution1
2 ACCPTED 2021-05-19 23:33:12
The problem is that userName could be "__proto__" . I'm not certain this would be exploitable in your case, but it still causes an exception when trying to invoke .push() on Object.prototype .
To avoid this issue , either use Object.create(null) (which isn't easy with TypeScript , unfortunately) or switch to a proper ES6 Map<string, string[]> .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
How to avoid prototype pollution in javascript?
How to prevent prototype pollution in JavaScript
How can I add a property to Object.prototype without it being applied to Number.prototype?
Is `Object.fromEntries()` secure from prototype pollution?
Can I define a property within an object prototype (method)?
Why can't I bind a property to an object using the prototype?
Performance and memory of prototype pollution vs dedicated library object
How can an instance update an object property that sits on a prototype?
why property in prototype of an object can not modified by object?
JavaScript: property assignment through prototype
Related Tags