Skip to content

Commit 8cc9a07

Browse files
Copilothotlong
andcommitted
fix: address security vulnerabilities in tenant resolver and permission evaluator
Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>
1 parent c9e5707 commit 8cc9a07

3 files changed

Lines changed: 17 additions & 4 deletions

File tree

ROADMAP.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ ObjectUI is a universal Server-Driven UI (SDUI) engine built on React + Tailwind
2424
### Achievements ✅
2525

2626
**Architecture & Quality:**
27-
-32 packages in monorepo (16 plugins, 4 core, 12 tools)
27+
-35 packages in monorepo (20 plugins, 4 core, 11 tools)
2828
- ✅ 91+ components fully documented
2929
- ✅ 57+ Storybook stories with interactive demos
3030
- ✅ TypeScript 5.9+ strict mode (100%)

packages/permissions/src/evaluator.ts

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -110,7 +110,12 @@ export function evaluateCondition(
110110
condition: PermissionCondition,
111111
record: Record<string, unknown>,
112112
): boolean {
113-
const value = record[condition.field];
113+
// Prevent prototype pollution via dangerous property access
114+
if (['__proto__', 'constructor', 'prototype'].includes(condition.field)) {
115+
return false;
116+
}
117+
118+
const value = Object.prototype.hasOwnProperty.call(record, condition.field) ? record[condition.field] : undefined;
114119

115120
switch (condition.operator) {
116121
case 'eq':

packages/tenant/src/resolver.ts

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -67,8 +67,16 @@ export function createTenantResolver(
6767
resolve: () => {
6868
if (typeof document === 'undefined') return null;
6969
const name = options?.cookieName ?? 'tenant_id';
70-
const match = document.cookie.match(new RegExp(`(?:^|; )${name}=([^;]*)`));
71-
return match ? decodeURIComponent(match[1]) : null;
70+
const cookies = document.cookie.split('; ');
71+
for (const cookie of cookies) {
72+
const eqIndex = cookie.indexOf('=');
73+
if (eqIndex === -1) continue;
74+
const key = cookie.substring(0, eqIndex);
75+
if (key === name) {
76+
return decodeURIComponent(cookie.substring(eqIndex + 1));
77+
}
78+
}
79+
return null;
7280
},
7381
};
7482

0 commit comments

Comments
 (0)