Tried to fix possible prototype pollution reported by Deepcode.ai.

Thanks to Deepcode.ai and xet7 !
2025-12-18 16:30:13 +01:00 · 2021-01-22 16:37:42 +02:00 · 2021-01-22 16:37:42 +02:00 · 8f553497e4
commit 8f553497e4
parent 0373da44b3
1 changed files with 36 additions and 34 deletions
--- a/client/components/main/globalSearch.js
+++ b/client/components/main/globalSearch.js
@ -247,44 +247,46 @@ BlazeComponent.extendComponent({
        } else {
          op = m.groups.abbrev;
        }
-        if (op in operatorMap) {
+        if (op !== "__proto__") {
-          let value = m.groups.value;
+          if (op in operatorMap) {
-          if (operatorMap[op] === 'labels') {
+            let value = m.groups.value;
-            if (value in this.colorMap) {
+            if (operatorMap[op] === 'labels') {
-              value = this.colorMap[value];
+              if (value in this.colorMap) {
-            }
+                value = this.colorMap[value];
-          } else if (
+              }
-            ['dueAt', 'createdAt', 'modifiedAt'].includes(operatorMap[op])
+            } else if (
-          ) {
+              ['dueAt', 'createdAt', 'modifiedAt'].includes(operatorMap[op])
-            const days = parseInt(value, 10);
+            ) {
-            if (isNaN(days)) {
+              const days = parseInt(value, 10);
-              if (['day', 'week', 'month', 'quarter', 'year'].includes(value)) {
+              if (isNaN(days)) {
-                value = moment()
+                if (['day', 'week', 'month', 'quarter', 'year'].includes(value)) {
-                  .subtract(1, value)
+                  value = moment()
-                  .format();
+                    .subtract(1, value)
-              } else {
+                    .format();
-                this.parsingErrors.push({
+                } else {
-                  tag: 'operator-number-expected',
+                  this.parsingErrors.push({
-                  value: { operator: op, value },
+                    tag: 'operator-number-expected',
-                });
+                    value: { operator: op, value },
-                value = null;
+                  });
                  value = null;
                }
              } else {
                value = moment()
                  .subtract(days, 'days')
                  .format();
              }
            } else {
              value = moment()
                .subtract(days, 'days')
                .format();
            }
-          }
+            if (Array.isArray(params[operatorMap[op]])) {
-          if (Array.isArray(params[operatorMap[op]])) {
+              params[operatorMap[op]].push(value);
-            params[operatorMap[op]].push(value);
+            } else {
              params[operatorMap[op]] = value;
            }
          } else {
-            params[operatorMap[op]] = value;
+            this.parsingErrors.push({
              tag: 'operator-unknown-error',
              value: op,
            });
          }
        } else {
          this.parsingErrors.push({
            tag: 'operator-unknown-error',
            value: op,
          });
        }
        continue;
      }