fix: prototype pollution vulnerability in extend (CVE-2024-45435)

Fixes #1427. https://nvd.nist.gov/vuln/detail/CVE-2024-45435 https://gist.github.com/tariqhawis/c67177164d3b7975210caddb25b60d62 Signed-off-by: Anders Kaseorg <[email protected]>
chartist-js · Oct 2, 2024 · 4801823 · 4801823
1 parent 1067900
commit 4801823
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/utils/extend.ts b/src/utils/extend.ts
@@ -12,6 +12,9 @@ export function extend(target: any = {}, ...sources: any[]) {
   for (let i = 0; i < sources.length; i++) {
     const source = sources[i];
     for (const prop in source) {
+      if (prop === '__proto__' || prop === 'constructor') {
+        continue;
+      }
       const sourceProp = source[prop];
       if (
         typeof sourceProp === 'object' &&