Merge "[INTERNAL] sap.base: bump lodash to 4.17.23" into rel-1.145

Author: IcelandWarrior

THIRDPARTY.txt

@@ -309,7 +309,7 @@ License: MIT
 License Text: https://github.com/UI5/openui5/blob/master/LICENSES/MIT.txt
 Contained in: src/sap.ui.core/src/sap/ui/thirdparty/bignumber.js
 
-Component: lodash, version: 4.17.21
+Component: lodash, version: 4.17.23
 Copyright: OpenJS Foundation and other contributors
 License: MIT
 License Text: https://github.com/UI5/openui5/blob/master/LICENSES/MIT.txt

src/sap.ui.core/src/sap/base/util/restricted/_/lodash.custom.js

@@ -1,7 +1,7 @@
 /**
  * @license
  * Lodash (Custom Build) <https://lodash.com/>
- * Build: `lodash strict include="omit,uniq,uniqBy,uniqWith,intersection,intersectionBy,intersectionWith,pick,pickBy,debounce,throttle,max,min,castArray,curry,merge,mergeWith,toArray,xor,xorBy,xorWith,isNil,difference,differenceBy,differenceWith,flatMap,flatMapDeep,flatMapDepth,isEqual,isEqualWith,without,flatten,flattenDeep,flattenDepth,compact,zipObject,zipObjectDeep,union,unionBy,unionWith"`
+ * Build: `lodash strict include="castArray,compact,curry,debounce,difference,differenceBy,differenceWith,flatMap,flatMapDeep,flatMapDepth,flatten,flattenDeep,flattenDepth,intersection,intersectionBy,intersectionWith,isEqual,isEqualWith,isNil,max,merge,mergeWith,min,omit,pick,pickBy,throttle,toArray,union,unionBy,unionWith,uniq,uniqBy,uniqWith,without,xor,xorBy,xorWith,zipObject,zipObjectDeep"`
  * Copyright OpenJS Foundation and other contributors <https://openjsf.org/>
  * Released under MIT license <https://lodash.com/license>
  * Based on Underscore.js 1.8.3 <http://underscorejs.org/LICENSE>
@@ -20,7 +20,7 @@ sap.ui.define(function() {
   var undefined;
 
   /** Used as the semantic version number. */
-  var VERSION = '4.17.21';
+  var VERSION = '4.17.23';
 
   /** Used as the size to enable large array optimizations. */
   var LARGE_ARRAY_SIZE = 200;
@@ -2750,8 +2750,47 @@ sap.ui.define(function() {
    */
   function baseUnset(object, path) {
     path = castPath(path, object);
-    object = parent(object, path);
-    return object == null || delete object[toKey(last(path))];
+
+    // Prevent prototype pollution, see: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
+    var index = -1,
+        length = path.length;
+
+    if (!length) {
+      return true;
+    }
+
+    var isRootPrimitive = object == null || (typeof object !== 'object' && typeof object !== 'function');
+
+    while (++index < length) {
+      var key = path[index];
+
+      // skip non-string keys (e.g., Symbols, numbers)
+      if (typeof key !== 'string') {
+        continue;
+      }
+
+      // Always block "__proto__" anywhere in the path if it's not expected
+      if (key === '__proto__' && !hasOwnProperty.call(object, '__proto__')) {
+        return false;
+      }
+
+      // Block "constructor.prototype" chains
+      if (key === 'constructor' &&
+          (index + 1) < length &&
+          typeof path[index + 1] === 'string' &&
+          path[index + 1] === 'prototype') {
+
+        // Allow ONLY when the path starts at a primitive root, e.g., _.unset(0, 'constructor.prototype.a')
+        if (isRootPrimitive && index === 0) {
+          continue;
+        }
+
+        return false;
+      }
+    }
+
+    var obj = parent(object, path);
+    return obj == null || delete obj[toKey(last(path))];
   }
 
   /**

src/sap.ui.core/src/sap/base/util/restricted/_castArray.js

@@ -2,7 +2,7 @@
  * ${copyright}
  */
 /**
- * See {@link https://lodash.com/docs/4.17.21#castArray}
+ * See {@link https://lodash.com/docs/4.17.23#castArray}
  *
  * @function
  * @alias module:sap/base/util/restricted/_castArray

src/sap.ui.core/src/sap/base/util/restricted/_compact.js

@@ -2,7 +2,7 @@
  * ${copyright}
  */
 /**
- * See {@link https://lodash.com/docs/4.17.21#compact}
+ * See {@link https://lodash.com/docs/4.17.23#compact}
  *
  * @function
  * @alias module:sap/base/util/restricted/_compact

src/sap.ui.core/src/sap/base/util/restricted/_curry.js

@@ -2,7 +2,7 @@
  * ${copyright}
  */
 /**
- * See {@link https://lodash.com/docs/4.17.21#curry}
+ * See {@link https://lodash.com/docs/4.17.23#curry}
  *
  * @function
  * @alias module:sap/base/util/restricted/_curry

src/sap.ui.core/src/sap/base/util/restricted/_debounce.js

@@ -2,7 +2,7 @@
  * ${copyright}
  */
 /**
- * See {@link https://lodash.com/docs/4.17.21#debounce}
+ * See {@link https://lodash.com/docs/4.17.23#debounce}
  *
  * @function
  * @alias module:sap/base/util/restricted/_debounce

src/sap.ui.core/src/sap/base/util/restricted/_difference.js

@@ -2,7 +2,7 @@
  * ${copyright}
  */
 /**
- * See {@link https://lodash.com/docs/4.17.21#difference}
+ * See {@link https://lodash.com/docs/4.17.23#difference}
  *
  * @function
  * @alias module:sap/base/util/restricted/_difference

src/sap.ui.core/src/sap/base/util/restricted/_differenceBy.js

@@ -2,7 +2,7 @@
  * ${copyright}
  */
 /**
- * See {@link https://lodash.com/docs/4.17.21#differenceBy}
+ * See {@link https://lodash.com/docs/4.17.23#differenceBy}
  *
  * @function
  * @alias module:sap/base/util/restricted/_differenceBy

src/sap.ui.core/src/sap/base/util/restricted/_differenceWith.js

@@ -2,7 +2,7 @@
  * ${copyright}
  */
 /**
- * See {@link https://lodash.com/docs/4.17.21#differenceWith}
+ * See {@link https://lodash.com/docs/4.17.23#differenceWith}
  *
  * @function
  * @alias module:sap/base/util/restricted/_differenceWith

src/sap.ui.core/src/sap/base/util/restricted/_flatMap.js

@@ -2,7 +2,7 @@
  * ${copyright}
  */
 /**
- * See {@link https://lodash.com/docs/4.17.21#flatMap}
+ * See {@link https://lodash.com/docs/4.17.23#flatMap}
  *
  * @function
  * @alias module:sap/base/util/restricted/_flatMap