Fix prototype pollution security issue. fixes #1331

ChenKS12138 · fdintino · commit aa9e5b9ef126 · 2020-11-24T22:46:10.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,10 @@ Unreleased
 * Add `base` arg to
   [`int` filter](https://mozilla.github.io/nunjucks/templating.html#int).
 * Move `chokidar` to `peerDependencies` and mark it `optional` in `peerDependenciesMeta`.
+* Fix prototype pollution issue for template variables. Merge of
+  [#1330](https://github.com/mozilla/nunjucks/pull/1330); fixes
+  [#1331](https://github.com/mozilla/nunjucks/issues/1331). Thanks
+  [ChenKS12138](https://github.com/ChenKS12138)!
 
 3.2.2 (Jul 20 2020)
 -------------------
diff --git a/nunjucks/src/runtime.js b/nunjucks/src/runtime.js
@@ -12,7 +12,7 @@ var supportsIterators = (
 // variables, for example.
 class Frame {
   constructor(parent, isolateWrites) {
-    this.variables = {};
+    this.variables = Object.create(null);
     this.parent = parent;
     this.topLevel = false;
     // if this is true, writes (set) should never propagate upwards past
diff --git a/tests/runtime.js b/tests/runtime.js
@@ -110,5 +110,21 @@
 
       finish(done);
     });
+
+    it('should not read variables property from Object.prototype', function(done) {
+      var payload = 'function(){ return 1+2; }()';
+      var data = {};
+      Object.getPrototypeOf(data).payload = payload;
+
+      render('{{ payload }}', data, {
+        noThrow: true
+      }, function(err, res) {
+        expect(err).to.equal(null);
+        expect(res).to.equal(payload);
+      });
+      delete Object.getPrototypeOf(data).payload;
+
+      finish(done);
+    });
   });
 }());
