Open yllhwa opened 2 months ago
复现代码1:
let deepMix = require("@antv/util").deepMix; let BAD_JSON = JSON.parse('{"__proto__":{"test":123}}'); let obj = {}; deepMix(obj, BAD_JSON); console.log({}.test); // 123
问题代码: https://github.com/antvis/util/blob/c499a30265ccf6099fc6e23d123f04b547eeaf5d/src/lodash/deep-mix.ts#L42-L47
复现代码2:
let set = require("@antv/util").set; let obj = {}; set(obj, "__proto__.test", 123); console.log({}.test); // 123
问题代码: https://github.com/antvis/util/blob/c499a30265ccf6099fc6e23d123f04b547eeaf5d/src/lodash/set.ts#L5-L29
有改进方式吗?
hustcc
commented
2 months ago hustcc
commented
2 months ago
复现代码1:
问题代码: https://github.com/antvis/util/blob/c499a30265ccf6099fc6e23d123f04b547eeaf5d/src/lodash/deep-mix.ts#L42-L47
复现代码2:
问题代码: https://github.com/antvis/util/blob/c499a30265ccf6099fc6e23d123f04b547eeaf5d/src/lodash/set.ts#L5-L29