From 12b84bd1a47c21d50b0261d5af2287c6c625b0db Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <andersk@mit.edu>
Date: Wed, 2 Oct 2024 11:33:40 -0700
Subject: [PATCH] fix: prototype pollution vulnerability in extend
 (CVE-2024-45435)

Fixes #1427.
https://nvd.nist.gov/vuln/detail/CVE-2024-45435
https://gist.github.com/tariqhawis/c67177164d3b7975210caddb25b60d62

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---
 src/utils/extend.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/utils/extend.ts b/src/utils/extend.ts
index 99ea3b28..77f4b4a6 100644
--- a/src/utils/extend.ts
+++ b/src/utils/extend.ts
@@ -11,7 +11,11 @@ export function extend<T, A, B>(target: T, a: A, b: B): T & A & B;
 export function extend(target: any = {}, ...sources: any[]) {
   for (let i = 0; i < sources.length; i++) {
     const source = sources[i];
+    const targetProto = Object.getPrototypeOf(target);
     for (const prop in source) {
+      if (targetProto !== null && prop in targetProto) {
+        continue; // prevent prototype pollution
+      }
       const sourceProp = source[prop];
       if (
         typeof sourceProp === 'object' &&