fix: backport prototype vuln. fixes

2026-01-11 01:52:55 +01:00 · 2023-07-19 17:52:42 -04:00
parent 354c9c2cc1
commit bb997a78cc
1 changed files with 2 additions and 2 deletions
--- a/src/socket.io/index.js
+++ b/src/socket.io/index.js
@@ -13,7 +13,7 @@ const logger = require('../logger');
 const plugins = require('../plugins');
 const ratelimit = require('../middleware/ratelimit');

-const Namespaces = {};
+const Namespaces = Object.create(null);

 const Sockets = module.exports;

@@ -123,7 +123,7 @@ async function onMessage(socket, payload) {
 	const parts = eventName.toString().split('.');
 	const namespace = parts[0];
 	const methodToCall = parts.reduce((prev, cur) => {
-		if (prev !== null && prev[cur]) {
+		if (prev !== null && prev[cur] && (!prev.hasOwnProperty || prev.hasOwnProperty(cur))) {
 			return prev[cur];
 		}
 		return null;