Tried to fix possible prototype pollution reported by Deepcode.ai.

Thanks to Deepcode.ai and xet7 !
2025-04-24 14:08:31 -04:00 · 2021-01-22 16:37:42 +02:00 · 2021-01-22 16:37:42 +02:00 · 8f553497e4
commit 8f553497e4
parent 0373da44b3
1 changed files with 36 additions and 34 deletions
--- a/client/components/main/globalSearch.js
+++ b/client/components/main/globalSearch.js
@ -247,44 +247,46 @@ BlazeComponent.extendComponent({
        } else {
          op = m.groups.abbrev;
        }
-        if (op in operatorMap) {
-          let value = m.groups.value;
-          if (operatorMap[op] === 'labels') {
-            if (value in this.colorMap) {
-              value = this.colorMap[value];
-            }
-          } else if (
-            ['dueAt', 'createdAt', 'modifiedAt'].includes(operatorMap[op])
-          ) {
-            const days = parseInt(value, 10);
-            if (isNaN(days)) {
-              if (['day', 'week', 'month', 'quarter', 'year'].includes(value)) {
-                value = moment()
-                  .subtract(1, value)
-                  .format();
-              } else {
-                this.parsingErrors.push({
-                  tag: 'operator-number-expected',
-                  value: { operator: op, value },
-                });
-                value = null;
+        if (op !== "__proto__") {
+          if (op in operatorMap) {
+            let value = m.groups.value;
+            if (operatorMap[op] === 'labels') {
+              if (value in this.colorMap) {
+                value = this.colorMap[value];
+              }
+            } else if (
+              ['dueAt', 'createdAt', 'modifiedAt'].includes(operatorMap[op])
+            ) {
+              const days = parseInt(value, 10);
+              if (isNaN(days)) {
+                if (['day', 'week', 'month', 'quarter', 'year'].includes(value)) {
+                  value = moment()
+                    .subtract(1, value)
+                    .format();
+                } else {
+                  this.parsingErrors.push({
+                    tag: 'operator-number-expected',
+                    value: { operator: op, value },
+                  });
+                  value = null;
+                }
+              } else {
+                value = moment()
+                  .subtract(days, 'days')
+                  .format();
              }
-            } else {
-              value = moment()
-                .subtract(days, 'days')
-                .format();
            }
-          }
-          if (Array.isArray(params[operatorMap[op]])) {
-            params[operatorMap[op]].push(value);
+            if (Array.isArray(params[operatorMap[op]])) {
+              params[operatorMap[op]].push(value);
+            } else {
+              params[operatorMap[op]] = value;
+            }
          } else {
-            params[operatorMap[op]] = value;
+            this.parsingErrors.push({
+              tag: 'operator-unknown-error',
+              value: op,
+            });
          }
-        } else {
-          this.parsingErrors.push({
-            tag: 'operator-unknown-error',
-            value: op,
-          });
        }
        continue;
      }