From 94993bc856bdb447d7e4b382ac7449cbce0f5f3d Mon Sep 17 00:00:00 2001
From: Mike Jensen <jentfoo@users.noreply.github.com>
Date: Mon, 18 Nov 2024 09:28:31 -0700
Subject: [PATCH] fix: session.ts Prototype-polluting assignment (#377)

This change fixes the CodeQL alerts:
  * https://github.com/opentdf/web-sdk/security/code-scanning/6
  * https://github.com/opentdf/web-sdk/security/code-scanning/7

Fixed by adding validation to ensure that the user supplied `response.state` can not be interpreted in a way that would result in unexpected invocation.
---
 web-app/src/session.ts | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/web-app/src/session.ts b/web-app/src/session.ts
index fd5145c8..a978ffd0 100644
--- a/web-app/src/session.ts
+++ b/web-app/src/session.ts
@@ -284,6 +284,13 @@ export class OidcClient implements AuthProvider {
     if (response._ === 'FAIL') {
       throw new Error(`OIDC auth ${response.error || 'error'}: [${response.error_description}]`);
     }
+    if (
+      response.state === '__proto__' ||
+      response.state === 'constructor' ||
+      response.state === 'prototype'
+    ) {
+      throw new Error('Invalid state value');
+    }
     const currentSession = sessions.requests[response.state];
     if (!currentSession) {
       throw new Error(`OIDC auth error: session storage missing state for ${response}`);