Merge commit from fork

kazupon · web-flow · commit 9f20909ef8c9 · 2024-11-28T13:27:36.000+09:00
* fix: XSS vulnerability with prototype pollution on AST

* test: add e2e test for scurity fix

* fix: prototype pollusion on deepCopy

* fix: update e2e

* fix: filename

* fix: change type name

* fix: more test case

* fix: change to `Object.create(null)` from object literal for more safety
diff --git a/packages/core-base/src/compilation.ts b/packages/core-base/src/compilation.ts
@@ -4,6 +4,7 @@ import {
   detectHtmlTag
 } from '@intlify/message-compiler'
 import {
+  create,
   format,
   hasOwn,
   isBoolean,
@@ -32,10 +33,10 @@ function checkHtmlMessage(source: string, warnHtmlMessage?: boolean): void {
 }
 
 const defaultOnCacheKey = (message: string): string => message
-let compileCache: unknown = Object.create(null)
+let compileCache: unknown = create()
 
 export function clearCompileCache(): void {
-  compileCache = Object.create(null)
+  compileCache = create()
 }
 
 export function isMessageAST(val: unknown): val is ResourceNode {
diff --git a/packages/core-base/src/context.ts b/packages/core-base/src/context.ts
@@ -2,6 +2,7 @@
 
 import {
   assign,
+  create,
   isArray,
   isBoolean,
   isFunction,
@@ -507,23 +508,23 @@ export function createCoreContext<Message = string>(options: any = {}): any {
       : _locale
   const messages = isPlainObject(options.messages)
     ? options.messages
-    : { [_locale]: {} }
+    : createResources(_locale)
   const datetimeFormats = !__LITE__
     ? isPlainObject(options.datetimeFormats)
       ? options.datetimeFormats
-      : { [_locale]: {} }
-    : { [_locale]: {} }
+      : createResources(_locale)
+    : createResources(_locale)
   const numberFormats = !__LITE__
     ? isPlainObject(options.numberFormats)
       ? options.numberFormats
-      : { [_locale]: {} }
-    : { [_locale]: {} }
+      : createResources(_locale)
+    : createResources(_locale)
   const modifiers = assign(
-    {},
-    options.modifiers || {},
+    create(),
+    options.modifiers,
     getDefaultLinkedModifiers<Message>()
   )
-  const pluralRules = options.pluralRules || {}
+  const pluralRules = options.pluralRules || create()
   const missing = isFunction(options.missing) ? options.missing : null
   const missingWarn =
     isBoolean(options.missingWarn) || isRegExp(options.missingWarn)
@@ -628,6 +629,8 @@ export function createCoreContext<Message = string>(options: any = {}): any {
   return context
 }
 
+const createResources = (locale: Locale) => ({ [locale]: create() })
+
 /** @internal */
 export function isTranslateFallbackWarn(
   fallback: boolean | RegExp,
diff --git a/packages/core-base/src/datetime.ts b/packages/core-base/src/datetime.ts
@@ -1,5 +1,6 @@
 import {
   assign,
+  create,
   isBoolean,
   isDate,
   isEmptyObject,
@@ -322,8 +323,8 @@ export function parseDateTimeArgs(
   ...args: unknown[]
 ): [string, number | Date, DateTimeOptions, Intl.DateTimeFormatOptions] {
   const [arg1, arg2, arg3, arg4] = args
-  const options = {} as DateTimeOptions
-  let overrides = {} as Intl.DateTimeFormatOptions
+  const options = create() as DateTimeOptions
+  let overrides = create() as Intl.DateTimeFormatOptions
 
   let value: number | Date
   if (isString(arg1)) {
diff --git a/packages/core-base/src/number.ts b/packages/core-base/src/number.ts
@@ -1,31 +1,32 @@
 import {
-  isString,
+  assign,
+  create,
   isBoolean,
-  isPlainObject,
-  isNumber,
   isEmptyObject,
-  assign
+  isNumber,
+  isPlainObject,
+  isString
 } from '@intlify/shared'
 import {
   handleMissing,
   isTranslateFallbackWarn,
-  NOT_REOSLVED,
-  MISSING_RESOLVE_VALUE
+  MISSING_RESOLVE_VALUE,
+  NOT_REOSLVED
 } from './context'
-import { CoreWarnCodes, getWarnMessage } from './warnings'
 import { CoreErrorCodes, createCoreError } from './errors'
-import { Availabilities } from './intl'
 import { getLocale } from './fallbacker'
+import { Availabilities } from './intl'
+import { CoreWarnCodes, getWarnMessage } from './warnings'
 
-import type { Locale, FallbackLocale } from './runtime'
+import type { CoreContext, CoreInternalContext } from './context'
+import type { LocaleOptions } from './fallbacker'
+import type { FallbackLocale, Locale } from './runtime'
 import type {
   NumberFormat,
-  NumberFormats as NumberFormatsType,
   NumberFormatOptions,
+  NumberFormats as NumberFormatsType,
   PickupFormatKeys
 } from './types'
-import type { LocaleOptions } from './fallbacker'
-import type { CoreContext, CoreInternalContext } from './context'
 
 /**
  *  # number
@@ -317,8 +318,8 @@ export function parseNumberArgs(
   ...args: unknown[]
 ): [string, number, NumberOptions, Intl.NumberFormatOptions] {
   const [arg1, arg2, arg3, arg4] = args
-  const options = {} as NumberOptions
-  let overrides = {} as Intl.NumberFormatOptions
+  const options = create() as NumberOptions
+  let overrides = create() as Intl.NumberFormatOptions
 
   if (!isNumber(arg1)) {
     throw createCoreError(CoreErrorCodes.INVALID_ARGUMENT)
diff --git a/packages/core-base/src/runtime.ts b/packages/core-base/src/runtime.ts
@@ -1,6 +1,7 @@
 import { HelperNameMap } from '@intlify/message-compiler'
 import {
   assign,
+  create,
   isArray,
   isFunction,
   isNumber,
@@ -360,7 +361,7 @@ export function createMessageContext<T = string, N = {}>(
   const list = (index: number): unknown => _list[index]
 
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  const _named = options.named || ({} as any)
+  const _named = options.named || (create() as any)
 
   isNumber(options.pluralIndex) && normalizeNamed(pluralIndex, _named)
   const named = (key: string): unknown => _named[key]
@@ -437,7 +438,7 @@ export function createMessageContext<T = string, N = {}>(
     [HelperNameMap.TYPE]: type,
     [HelperNameMap.INTERPOLATE]: interpolate,
     [HelperNameMap.NORMALIZE]: normalize,
-    [HelperNameMap.VALUES]: assign({}, _list, _named)
+    [HelperNameMap.VALUES]: assign(create(), _list, _named)
   }
 
   return ctx
diff --git a/packages/core-base/src/translate.ts b/packages/core-base/src/translate.ts
@@ -1,5 +1,6 @@
 import {
   assign,
+  create,
   escapeHtml,
   generateCodeFrame,
   generateFormatCacheKey,
@@ -677,7 +678,7 @@ export function translate<
     : [
         key,
         locale,
-        (messages as unknown as LocaleMessages<Message>)[locale] || {}
+        (messages as unknown as LocaleMessages<Message>)[locale] || create()
       ]
   // NOTE:
   //  Fix to work around `ssrTransfrom` bug in Vite.
@@ -830,7 +831,7 @@ function resolveMessageFormat<Messages, Message>(
   } = context
   const locales = localeFallbacker(context as any, fallbackLocale, locale) // eslint-disable-line @typescript-eslint/no-explicit-any
 
-  let message: LocaleMessageValue<Message> = {}
+  let message: LocaleMessageValue<Message> = create()
   let targetLocale: Locale | undefined
   let format: PathValue = null
   let from: Locale = locale
@@ -869,7 +870,7 @@ function resolveMessageFormat<Messages, Message>(
     }
 
     message =
-      (messages as unknown as LocaleMessages<Message>)[targetLocale] || {}
+      (messages as unknown as LocaleMessages<Message>)[targetLocale] || create()
 
     // for vue-devtools timeline event
     let start: number | null = null
@@ -1044,7 +1045,7 @@ export function parseTranslateArgs<Message = string>(
   ...args: unknown[]
 ): [Path | MessageFunction<Message> | ResourceNode, TranslateOptions] {
   const [arg1, arg2, arg3] = args
-  const options = {} as TranslateOptions
+  const options = create() as TranslateOptions
 
   if (
     !isString(arg1) &&
diff --git a/packages/message-compiler/src/tokenizer.ts b/packages/message-compiler/src/tokenizer.ts
@@ -1,10 +1,10 @@
-import { createScanner, CHAR_SP as SPACE, CHAR_LF as NEW_LINE } from './scanner'
+import { CompileErrorCodes, createCompileError } from './errors'
 import { createLocation, createPosition } from './location'
-import { createCompileError, CompileErrorCodes } from './errors'
+import { createScanner, CHAR_LF as NEW_LINE, CHAR_SP as SPACE } from './scanner'
 
-import type { Scanner } from './scanner'
-import type { SourceLocation, Position } from './location'
+import type { Position, SourceLocation } from './location'
 import type { TokenizeOptions } from './options'
+import type { Scanner } from './scanner'
 
 export const enum TokenTypes {
   Text, // 0
@@ -447,6 +447,7 @@ export function createTokenizer(
   function readText(scnr: Scanner): string {
     let buf = ''
 
+     
     while (true) {
       const ch = scnr.currentChar()
       if (
diff --git a/packages/shared/src/messages.ts b/packages/shared/src/messages.ts
@@ -1,4 +1,4 @@
-import { isArray, isObject } from './utils'
+import { create, isArray, isObject } from './utils'
 
 const isNotObjectOrIsArray = (val: unknown) => !isObject(val) || isArray(val)
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -14,10 +14,13 @@ export function deepCopy(src: any, des: any): void {
 
     // using `Object.keys` which skips prototype properties
     Object.keys(src).forEach(key => {
+      if (key === '__proto__') {
+        return
+      }
       // if src[key] is an object/array, set des[key]
       // to empty object/array to prevent setting by reference
       if (isObject(src[key]) && !isObject(des[key])) {
-        des[key] = Array.isArray(src[key]) ? [] : {}
+        des[key] = Array.isArray(src[key]) ? [] : create()
       }
 
       if (isNotObjectOrIsArray(des[key]) || isNotObjectOrIsArray(src[key])) {
diff --git a/packages/shared/src/utils.ts b/packages/shared/src/utils.ts
@@ -81,6 +81,9 @@ export const isEmptyObject = (val: unknown): val is boolean =>
 
 export const assign = Object.assign
 
+const _create = Object.create
+export const create = (obj: object | null = null): object => _create(obj)
+
 let _globalThis: any
 export const getGlobalThis = (): any => {
   // prettier-ignore
@@ -95,7 +98,7 @@ export const getGlobalThis = (): any => {
             ? window
             : typeof global !== 'undefined'
               ? global
-              : {})
+              : create())
   )
 }
 
diff --git a/packages/shared/test/messages.test.ts b/packages/shared/test/messages.test.ts
@@ -48,3 +48,34 @@ test('deepCopy merges without mutating src argument', () => {
   // should not mutate source object
   expect(msg1).toStrictEqual(copy1)
 })
+
+describe('CVE-2024-52810', () => {
+  test('__proto__', () => {
+    const source = '{ "__proto__": { "pollutedKey": 123 } }'
+    const dest = {}
+
+    deepCopy(JSON.parse(source), dest)
+    expect(dest).toEqual({})
+    // @ts-ignore -- initialize polluted property
+    expect(JSON.parse(JSON.stringify({}.__proto__))).toEqual({})
+  })
+
+  test('nest __proto__', () => {
+    const source = '{ "foo": { "__proto__": { "pollutedKey": 123 } } }'
+    const dest = {}
+
+    deepCopy(JSON.parse(source), dest)
+    expect(dest).toEqual({ foo: {} })
+    // @ts-ignore -- initialize polluted property
+    expect(JSON.parse(JSON.stringify({}.__proto__))).toEqual({})
+  })
+
+  test('constructor prototype', () => {
+    const source = '{ "constructor": { "prototype": { "polluted": 1 } } }'
+    const dest = {}
+
+    deepCopy(JSON.parse(source), dest)
+    // @ts-ignore -- initialize polluted property
+    expect({}.polluted).toBeUndefined()
+  })
+})
diff --git a/packages/vue-i18n-core/src/components/DatetimeFormat.ts b/packages/vue-i18n-core/src/components/DatetimeFormat.ts
@@ -1,16 +1,16 @@
-import { defineComponent } from 'vue'
-import { assign } from '@intlify/shared'
 import { DATETIME_FORMAT_OPTIONS_KEYS } from '@intlify/core-base'
+import { assign } from '@intlify/shared'
+import { defineComponent } from 'vue'
 import { useI18n } from '../i18n'
 import { DatetimePartsSymbol } from '../symbols'
-import { renderFormatter } from './formatRenderer'
 import { baseFormatProps } from './base'
+import { renderFormatter } from './formatRenderer'
 
-import type { VNodeProps } from 'vue'
 import type { DateTimeOptions } from '@intlify/core-base'
+import type { VNodeProps } from 'vue'
 import type { Composer, ComposerInternal } from '../composer'
-import type { FormattableProps } from './formatRenderer'
 import type { BaseFormatProps } from './base'
+import type { FormattableProps } from './formatRenderer'
 
 /**
  * DatetimeFormat Component Props
diff --git a/packages/vue-i18n-core/src/components/NumberFormat.ts b/packages/vue-i18n-core/src/components/NumberFormat.ts
@@ -1,16 +1,16 @@
-import { defineComponent } from 'vue'
-import { assign } from '@intlify/shared'
 import { NUMBER_FORMAT_OPTIONS_KEYS } from '@intlify/core-base'
+import { assign } from '@intlify/shared'
+import { defineComponent } from 'vue'
 import { useI18n } from '../i18n'
 import { NumberPartsSymbol } from '../symbols'
-import { renderFormatter } from './formatRenderer'
 import { baseFormatProps } from './base'
+import { renderFormatter } from './formatRenderer'
 
-import type { VNodeProps } from 'vue'
 import type { NumberOptions } from '@intlify/core-base'
+import type { VNodeProps } from 'vue'
 import type { Composer, ComposerInternal } from '../composer'
-import type { FormattableProps } from './formatRenderer'
 import type { BaseFormatProps } from './base'
+import type { FormattableProps } from './formatRenderer'
 
 /**
  * NumberFormat Component Props
diff --git a/packages/vue-i18n-core/src/components/Translation.ts b/packages/vue-i18n-core/src/components/Translation.ts
@@ -1,12 +1,12 @@
-import { h, defineComponent } from 'vue'
-import { isNumber, isString, isObject, assign } from '@intlify/shared'
-import { TranslateVNodeSymbol } from '../symbols'
+import { assign, create, isNumber, isObject, isString } from '@intlify/shared'
+import { defineComponent, h } from 'vue'
 import { useI18n } from '../i18n'
+import { TranslateVNodeSymbol } from '../symbols'
 import { baseFormatProps } from './base'
-import { getInterpolateArg, getFragmentableTag } from './utils'
+import { getFragmentableTag, getInterpolateArg } from './utils'
 
-import type { VNodeChild, VNodeProps } from 'vue'
 import type { TranslateOptions } from '@intlify/core-base'
+import type { VNodeChild, VNodeProps } from 'vue'
 import type { Composer, ComposerInternal } from '../composer'
 import type { BaseFormatProps } from './base'
 
@@ -59,7 +59,7 @@ export const TranslationImpl = /*#__PURE__*/ defineComponent({
 
     return (): VNodeChild => {
       const keys = Object.keys(slots).filter(key => key !== '_')
-      const options = {} as TranslateOptions
+      const options = create() as TranslateOptions
       if (props.locale) {
         options.locale = props.locale
       }
@@ -73,7 +73,7 @@ export const TranslationImpl = /*#__PURE__*/ defineComponent({
         arg,
         options
       )
-      const assignedAttrs = assign({}, attrs)
+      const assignedAttrs = assign(create(), attrs)
       const tag =
         isString(props.tag) || isObject(props.tag)
           ? props.tag
diff --git a/packages/vue-i18n-core/src/components/base.ts b/packages/vue-i18n-core/src/components/base.ts
@@ -1,7 +1,7 @@
 import { Composer } from '../composer'
 
-import type { I18nScope } from '../i18n'
 import type { Locale } from '@intlify/core-base'
+import type { I18nScope } from '../i18n'
 
 export type ComponentI18nScope = Exclude<I18nScope, 'local'>
 
diff --git a/packages/vue-i18n-core/src/components/formatRenderer.ts b/packages/vue-i18n-core/src/components/formatRenderer.ts
diff --git a/packages/vue-i18n-core/src/components/index.ts b/packages/vue-i18n-core/src/components/index.ts
diff --git a/packages/vue-i18n-core/src/components/utils.ts b/packages/vue-i18n-core/src/components/utils.ts
diff --git a/packages/vue-i18n-core/src/index.ts b/packages/vue-i18n-core/src/index.ts
diff --git a/packages/vue-i18n-core/src/utils.ts b/packages/vue-i18n-core/src/utils.ts
diff --git a/packages/vue-i18n-core/src/warnings.ts b/packages/vue-i18n-core/src/warnings.ts
