Skip to content

Commit 7fb065a

Browse files
paulo-ferraz-oliveiramruoss
paulo-ferraz-oliveira
authored and
mruoss
committed
Keep versioning consistent
1 parent ffcf1e2 commit 7fb065a

File tree

3 files changed

+701
-257
lines changed

3 files changed

+701
-257
lines changed

dist/index.js

Lines changed: 43 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5700,7 +5700,7 @@ function coerce (version, options) {
57005700
var undefined;
57015701

57025702
/** Used as the semantic version number. */
5703-
var VERSION = '4.17.21';
5703+
var VERSION = '4.17.23';
57045704

57055705
/** Used as the size to enable large array optimizations. */
57065706
var LARGE_ARRAY_SIZE = 200;
@@ -9454,7 +9454,7 @@ function coerce (version, options) {
94549454
if (isArray(iteratee)) {
94559455
return function(value) {
94569456
return baseGet(value, iteratee.length === 1 ? iteratee[0] : iteratee);
9457-
}
9457+
};
94589458
}
94599459
return iteratee;
94609460
});
@@ -10058,8 +10058,47 @@ function coerce (version, options) {
1005810058
*/
1005910059
function baseUnset(object, path) {
1006010060
path = castPath(path, object);
10061-
object = parent(object, path);
10062-
return object == null || delete object[toKey(last(path))];
10061+
10062+
// Prevent prototype pollution, see: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
10063+
var index = -1,
10064+
length = path.length;
10065+
10066+
if (!length) {
10067+
return true;
10068+
}
10069+
10070+
var isRootPrimitive = object == null || (typeof object !== 'object' && typeof object !== 'function');
10071+
10072+
while (++index < length) {
10073+
var key = path[index];
10074+
10075+
// skip non-string keys (e.g., Symbols, numbers)
10076+
if (typeof key !== 'string') {
10077+
continue;
10078+
}
10079+
10080+
// Always block "__proto__" anywhere in the path if it's not expected
10081+
if (key === '__proto__' && !hasOwnProperty.call(object, '__proto__')) {
10082+
return false;
10083+
}
10084+
10085+
// Block "constructor.prototype" chains
10086+
if (key === 'constructor' &&
10087+
(index + 1) < length &&
10088+
typeof path[index + 1] === 'string' &&
10089+
path[index + 1] === 'prototype') {
10090+
10091+
// Allow ONLY when the path starts at a primitive root, e.g., _.unset(0, 'constructor.prototype.a')
10092+
if (isRootPrimitive && index === 0) {
10093+
continue;
10094+
}
10095+
10096+
return false;
10097+
}
10098+
}
10099+
10100+
var obj = parent(object, path);
10101+
return obj == null || delete obj[toKey(last(path))];
1006310102
}
1006410103

1006510104
/**

0 commit comments

Comments
 (0)