Merge pull request #6704 from plotly/nestedProperty-proto

Fix potential prototype pollution in `nestedProperty`

Author: archmoj

Diff for: src/lib/nested_property.js

@@ -24,13 +24,20 @@ module.exports = function nestedProperty(container, propStr) {
         throw 'bad property string';
     }
 
-    var j = 0;
     var propParts = propStr.split('.');
     var indexed;
     var indices;
-    var i;
+    var i, j;
+
+    for(j = 0; j < propParts.length; j++) {
+        // guard against polluting __proto__ and other internals
+        if(String(propParts[j]).slice(0, 2) === '__') {
+            throw 'bad property string';
+        }
+    }
 
     // check for parts of the nesting hierarchy that are numbers (ie array elements)
+    j = 0;
     while(j < propParts.length) {
         // look for non-bracket chars, then any number of [##] blocks
         indexed = String(propParts[j]).match(/^([^\[\]]*)((\[\-?[0-9]*\])+)$/);

Diff for: test/jasmine/tests/lib_test.js

@@ -468,7 +468,9 @@ describe('Test lib.js:', function() {
 
         it('should fail on a bad property string', function() {
             var badStr = [
-                [], {}, false, undefined, null, NaN, Infinity
+                [], {}, false, undefined, null, NaN, Infinity,
+                // should guard against prototype pollution
+                'x.__proto__.polluted', 'x.y.__proto__.polluted'
             ];
 
             function badProp(i) {