From 2009d0290b22170391b581118b6225a939f9496f Mon Sep 17 00:00:00 2001
From: Devin Binnie <52460000+devinbinnie@users.noreply.github.com>
Date: Tue, 28 Feb 2023 09:48:48 -0500
Subject: [PATCH] [MM-50712] Fix local prototype pollution flaw (#2567)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* [MM-50712] Fix local prototype pollution flaw

* Update src/main/diagnostics/steps/internal/loggerHooks.test.js

Co-authored-by: Daniel Espino García <larkox@gmail.com>

---------

Co-authored-by: Daniel Espino García <larkox@gmail.com>
---
 src/main/diagnostics/steps/internal/loggerHooks.test.js | 8 ++++++++
 src/main/diagnostics/steps/internal/obfuscators.ts      | 5 ++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/main/diagnostics/steps/internal/loggerHooks.test.js b/src/main/diagnostics/steps/internal/loggerHooks.test.js
index 6a8ba2e9..1649ec1d 100644
--- a/src/main/diagnostics/steps/internal/loggerHooks.test.js
+++ b/src/main/diagnostics/steps/internal/loggerHooks.test.js
@@ -4,6 +4,7 @@
 import {MASK_EMAIL, MASK_PATH} from 'common/constants';
 
 import {maskMessageDataHook} from './loggerHooks';
+import {obfuscateByType} from './obfuscators';
 
 const loggerMock = {
     transports: {
@@ -59,6 +60,13 @@ describe('main/diagnostics/loggerHooks', () => {
         expect(URLs.some((url) => result.includes(url))).toBe(false);
     });
 
+    it('should not allow local prototype pollution', () => {
+        const obj = JSON.parse('{"__proto__":["1","2","3","4"]}');
+        expect(obj instanceof Array).toBe(false);
+        const obf = obfuscateByType(obj);
+        expect(obf instanceof Array).toBe(false);
+    });
+
     describe('should mask paths for all OSs', () => {
         it('darwin', () => {
             const originalPlatform = process.platform;
diff --git a/src/main/diagnostics/steps/internal/obfuscators.ts b/src/main/diagnostics/steps/internal/obfuscators.ts
index 066480f9..00e68b04 100644
--- a/src/main/diagnostics/steps/internal/obfuscators.ts
+++ b/src/main/diagnostics/steps/internal/obfuscators.ts
@@ -60,7 +60,10 @@ function maskDataInArray(arr: unknown[]): unknown[] {
 
 function maskDataInObject(obj: Record<string, unknown>): Record<string, unknown> {
     return Object.keys(obj).reduce<Record<string, unknown>>((acc, key) => {
-        acc[key] = obfuscateByType(obj[key]);
+        // Avoid local prototype pollution
+        if (key !== '__proto__') {
+            acc[key] = obfuscateByType(obj[key]);
+        }
         return acc;
     }, {});
 }