From 858bad1634412401d526e41ab2a4d73abfdf65a6 Mon Sep 17 00:00:00 2001 From: "Eyo O. Eyo" <7893459+eokoneyo@users.noreply.github.com> Date: Thu, 24 Oct 2024 13:20:30 +0200 Subject: [PATCH 1/2] [CodeQL] resolve issue with prototype pollution (#196685) ## Summary Relates to https://github.com/elastic/kibana-team/issues/1102 Particularly addresses issues with prototype pollution Co-authored-by: Elastic Machine (cherry picked from commit 7164a343e5f101e1790ffa484d649e700cdc05b2) --- src/core/public/ui_settings/ui_settings_client.ts | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/core/public/ui_settings/ui_settings_client.ts b/src/core/public/ui_settings/ui_settings_client.ts index ee5d5da8d29b9..a28a2fe8af700 100644 --- a/src/core/public/ui_settings/ui_settings_client.ts +++ b/src/core/public/ui_settings/ui_settings_client.ts @@ -33,7 +33,11 @@ export class UiSettingsClient implements IUiSettingsClient { constructor(params: UiSettingsClientParams) { this.api = params.api; this.defaults = cloneDeep(params.defaults); - this.cache = defaultsDeep({}, this.defaults, cloneDeep(params.initialSettings)); + this.cache = defaultsDeep( + Object.create(null), + this.defaults, + cloneDeep(params.initialSettings) + ); params.done$.subscribe({ complete: () => { @@ -99,7 +103,10 @@ You can use \`IUiSettingsClient.get("${key}", defaultValue)\`, which will just r } isDeclared(key: string) { - return key in this.cache; + return ( + // @ts-ignore + (key !== '__proto__' || key !== 'constructor' || key !== 'prototype') && key in this.cache + ); } isDefault(key: string) { From 1df83598fb883dab43e20f2335d0687b1d544f61 Mon Sep 17 00:00:00 2001 From: Eyo Okon Eyo Date: Mon, 4 Nov 2024 11:58:34 +0100 Subject: [PATCH 2/2] use appropriate comment --- src/core/public/ui_settings/ui_settings_client.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/public/ui_settings/ui_settings_client.ts b/src/core/public/ui_settings/ui_settings_client.ts index a28a2fe8af700..7944f9ec69224 100644 --- a/src/core/public/ui_settings/ui_settings_client.ts +++ b/src/core/public/ui_settings/ui_settings_client.ts @@ -104,7 +104,7 @@ You can use \`IUiSettingsClient.get("${key}", defaultValue)\`, which will just r isDeclared(key: string) { return ( - // @ts-ignore + // @ts-expect-error (key !== '__proto__' || key !== 'constructor' || key !== 'prototype') && key in this.cache ); }