-
Notifications
You must be signed in to change notification settings - Fork 393
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bugfix/CXSPA- 6934 & 9292: CDC Consent Management Issue #19916
base: develop
Are you sure you want to change the base?
Conversation
integration-libs/cdc/root/consent-management/services/cdc-user-consent.service.ts
Fixed
Show fixed
Hide fixed
) { | ||
target[key] = this.deepMerge(target[key] ?? {}, source[key]); | ||
} else { | ||
target[key] = source[key]; |
Check warning
Code scanning / CodeQL
Prototype-polluting function Medium
source
target
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 days ago
To fix the prototype pollution vulnerability, we need to ensure that the deepMerge
function does not copy the special properties __proto__
and constructor
. This can be achieved by adding checks to skip these properties during the merge process.
- Modify the
deepMerge
function to include checks for__proto__
andconstructor
. - Ensure that these properties are not copied from the
source
object to thetarget
object.
-
Copy modified lines R45-R47
@@ -44,2 +44,5 @@ | ||
for (const key of Object.keys(source)) { | ||
if (key === '__proto__' || key === 'constructor') { | ||
continue; | ||
} | ||
if ( |
@@ -7,6 +7,10 @@ | |||
import { Injectable } from '@angular/core'; | |||
import { ConsentTemplate, Converter } from '@spartacus/core'; | |||
|
|||
/** | |||
* @deprecated since 2211-ng19.0, use class CdcPreferenceSerializer instead |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI It's still debatable whether the Feb release will be named 2211-ng19.0
. We're checking now if it's possible, due to being incompatible with the SemVer schema https://semver.org/ - which is assumed in the npm ecosystem
JIRA: