🔒️ fix CVE-2019-11358

ctcpip · ctcpip · commit 836574819a7c · 2024-02-20T21:14:05.000-06:00
diff --git a/src/core.js b/src/core.js
@@ -156,8 +156,9 @@ jQuery.extend = jQuery.fn.extend = function() {
 				src = target[ name ];
 				copy = options[ name ];
 
+				// Prevent Object.prototype pollution
 				// Prevent never-ending loop
-				if ( target === copy ) {
+				if ( name === "__proto__" || target === copy ) {
 					continue;
 				}
 
diff --git a/test/unit/core.js b/test/unit/core.js
@@ -1228,6 +1228,13 @@ QUnit.test( "jQuery.extend(true,{},{a:[], o:{}}); deep copy with array, followed
 	assert.ok( !jQuery.isArray( result.object ), "result.object wasn't paved with an empty array" );
 } );
 
+QUnit.test( "jQuery.extend( true, ... ) Object.prototype pollution", function( assert ) {
+	assert.expect( 1 );
+
+	jQuery.extend( true, {}, JSON.parse( "{\"__proto__\": {\"devMode\": true}}" ) );
+	assert.ok( !( "devMode" in {} ), "Object.prototype not polluted" );
+} );
+
 QUnit.test( "jQuery.each(Object,Function)", function( assert ) {
 	assert.expect( 23 );
 

Original file line number	Diff line number	Diff line change
`@@ -156,8 +156,9 @@ jQuery.extend = jQuery.fn.extend = function() {`
`156`	`156`	`src = target[ name ];`
`157`	`157`	`copy = options[ name ];`
`158`	`158`
	`159`	`+ // Prevent Object.prototype pollution`
`159`	`160`	`// Prevent never-ending loop`
`160`		`- if ( target === copy ) {`
	`161`	`+ if ( name === "__proto__" \|\| target === copy ) {`
`161`	`162`	`continue;`
`162`	`163`	`}`
`163`	`164`