Avoid calling hasOwnProperty of user-controlled objects

rlidwka · rlidwka · commit 9586ebe23298 · 2020-12-07T20:58:53.000+03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 
+## [3.14.1] - 2020-12-07
+### Security
+- Fix possible code execution in (already unsafe) `.load()` (in &anchor).
+
+
 ## [3.14.0] - 2020-05-22
 ### Changed
 - Support `safe/loadAll(input, options)` variant of call.
diff --git a/lib/js-yaml/loader.js b/lib/js-yaml/loader.js
@@ -1272,7 +1272,7 @@ function readAlias(state) {
 
   alias = state.input.slice(_position, state.position);
 
-  if (!state.anchorMap.hasOwnProperty(alias)) {
+  if (!_hasOwnProperty.call(state.anchorMap, alias)) {
     throwError(state, 'unidentified alias "' + alias + '"');
   }
 

Original file line number	Diff line number	Diff line change
`@@ -1272,7 +1272,7 @@ function readAlias(state) {`
`1272`	`1272`
`1273`	`1273`	`alias = state.input.slice(_position, state.position);`
`1274`	`1274`
`1275`		`- if (!state.anchorMap.hasOwnProperty(alias)) {`
	`1275`	`+ if (!_hasOwnProperty.call(state.anchorMap, alias)) {`
`1276`	`1276`	`throwError(state, 'unidentified alias "' + alias + '"');`
`1277`	`1277`	`}`
`1278`	`1278`