diff --git a/package.json b/package.json index 21314d14a..bc8ae74ca 100644 --- a/package.json +++ b/package.json @@ -96,7 +96,8 @@ "rollup-plugin-node-resolve": "^5.2.0", "rollup-plugin-size-snapshot": "^0.12.0", "sinon": "^9.2.0", - "sinon-chai": "^3.5.0" + "sinon-chai": "^3.5.0", + "synchronous-promise": "^2.0.15" }, "dependencies": { "@babel/runtime": "^7.10.5", diff --git a/src/locale.js b/src/locale.js index 6838516f6..2fdbe80a3 100644 --- a/src/locale.js +++ b/src/locale.js @@ -63,7 +63,7 @@ export let array = { max: '${path} field must have less than or equal to ${max} items', }; -export default { +export default Object.assign(Object.create(null), { mixed, string, number, @@ -71,4 +71,4 @@ export default { object, array, boolean, -}; +}); diff --git a/test/object.js b/test/object.js index 6d56ae939..18cf67378 100644 --- a/test/object.js +++ b/test/object.js @@ -153,7 +153,7 @@ describe('Object types', () => { err.message.should.match(/must be a `string` type/); }); - it.only('should respect child schema with strict()', async () => { + it('should respect child schema with strict()', async () => { inst = object({ field: number().strict(), }); diff --git a/test/setLocale.js b/test/setLocale.js index 81b93baa6..7582ac15a 100644 --- a/test/setLocale.js +++ b/test/setLocale.js @@ -23,4 +23,20 @@ describe('Custom locale', () => { const locale = require('../src/locale').default; expect(locale.string.email).to.equal('Invalid email'); }); + + it('should not allow prototype pollution', () => { + const payload = JSON.parse('{"__proto__":{"polluted":"Yes! Its Polluted"}}'); + + expect(() => setLocale(payload)).to.throw(); + + expect(payload).not.to.have.property('polluted'); + }); + + it('should not pollute Object.prototype builtins', () => { + const payload = { toString: { polluted: 'oh no' } }; + + expect(() => setLocale(payload)).to.throw(); + + expect(Object.prototype.toString).not.to.have.property('polluted'); + }); });