Skip to content

Commit 24dc6ec

Browse files
fix: replace {} with Object.create(null) for defense-in-depth in apps engine (#40763)
1 parent 1b88937 commit 24dc6ec

3 files changed

Lines changed: 7 additions & 2 deletions

File tree

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
'@rocket.chat/apps': patch
3+
---
4+
5+
Replaces {} with Object.create(null) to ensure defense-in-depth against prototype pollution

packages/apps/src/server/AppManager.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -845,7 +845,7 @@ export class AppManager {
845845
}
846846

847847
public getLanguageContent(): { [key: string]: object } {
848-
const langs: { [key: string]: object } = {};
848+
const langs: { [key: string]: object } = Object.create(null);
849849

850850
this.apps.forEach((rl) => {
851851
const content = rl.getStorageItem().languageContent;

packages/apps/src/server/compiler/AppPackageParser.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,7 @@ export class AppPackageParser {
9393
}
9494

9595
private getLanguageContent(zip: AdmZip): { [key: string]: object } {
96-
const languageContent: { [key: string]: object } = {};
96+
const languageContent: { [key: string]: object } = Object.create(null);
9797

9898
zip
9999
.getEntries()

0 commit comments

Comments
 (0)