From 63e627cece1592d03abadf36044c957b801c7315 Mon Sep 17 00:00:00 2001
From: Andris Reinman <andris@reinman.eu>
Date: Thu, 19 Sep 2024 12:11:43 +0300
Subject: [PATCH] fix(security): Fixed GHSA-g974-hxvm-x689

---
 lib/gettext.js       | 30 ++++++++++++++++++++++++++++++
 test/gettext-test.js |  5 +++++
 2 files changed, 35 insertions(+)

diff --git a/lib/gettext.js b/lib/gettext.js
index a0a030d..57dd9b7 100644
--- a/lib/gettext.js
+++ b/lib/gettext.js
@@ -105,6 +105,26 @@ Gettext.prototype.warn = function (message) {
  * @param {Object} translations  An object of gettext-parser JSON shape
  */
 Gettext.prototype.addTranslations = function (locale, domain, translations) {
+    if (typeof locale !== 'string') {
+        this.warn('You called addTranslations() with an argument of type ' + typeof locale + '. The locale must be a string.');
+        return;
+    }
+
+    if (typeof locale !== 'string') {
+        this.warn('You called setLocale() with an argument of type ' + typeof locale + '. The locale must be a string.');
+        return;
+    }
+
+    if (locale in {}) {
+        this.warn('Can not use reserved key as locale');
+        return;
+    }
+
+    if (domain in {}) {
+        this.warn('Can not use reserved key as domain');
+        return;
+    }
+
     if (!this.catalogs[locale]) {
         this.catalogs[locale] = {};
     }
@@ -126,6 +146,11 @@ Gettext.prototype.setLocale = function (locale) {
         return;
     }
 
+    if (locale in {}) {
+        this.warn('Can not use reserved key as locale');
+        return;
+    }
+
     if (locale.trim() === '') {
         this.warn('You called setLocale() with an empty value, which makes little sense.');
     }
@@ -151,6 +176,11 @@ Gettext.prototype.setTextDomain = function (domain) {
         return;
     }
 
+    if (domain in {}) {
+        this.warn('Can not use reserved key as domain');
+        return;
+    }
+
     if (domain.trim() === '') {
         this.warn('You called setTextDomain() with an empty `domain` value.');
     }
diff --git a/test/gettext-test.js b/test/gettext-test.js
index a5bbefa..acb04a7 100644
--- a/test/gettext-test.js
+++ b/test/gettext-test.js
@@ -262,6 +262,11 @@ describe('Gettext', () => {
             expect(errorListener.callCount).to.equal(0);
         });
 
+        it('should emit an error event when adding a reserved key as locale', () => {
+            gt.addTranslations('__proto__', 'polluted', 'pwned');
+            expect(errorListener.callCount).to.equal(1);
+        });
+
         it('should emit an error event when a locale that has no translations is set', () => {
             gt.setLocale('et-EE');
             expect(errorListener.callCount).to.equal(1);