fix(security): Follow up on CVE-2020-28477 where path: [["__proto__"], "x"] could still pollute the prototype

Author: mweststrate

__tests__/patch.js

@@ -1258,6 +1258,24 @@ test("maps can store __proto__, prototype and constructor props", () => {
 	expect(obj.polluted).toBe(undefined)
 })
 
+test("CVE-2020-28477 (https://snyk.io/vuln/SNYK-JS-IMMER-1019369) follow up", () => {
+	const obj = {}
+
+	// @ts-ignore
+	expect(obj.polluted).toBe(undefined)
+	expect(() => {
+		applyPatches({}, [
+			{op: "add", path: [["__proto__"], "polluted"], value: "yes"}
+		])
+	}).toThrow(
+		isProd
+			? "24"
+			: "Patching reserved attributes like __proto__, prototype and constructor is not allowed"
+	)
+	// @ts-ignore
+	expect(obj.polluted).toBe(undefined)
+})
+
 test("#648 assigning object to itself should not change patches", () => {
 	const input = {
 		obj: {

src/plugins/patches.ts

@@ -207,7 +207,7 @@ export function enablePatches() {
 			let base: any = draft
 			for (let i = 0; i < path.length - 1; i++) {
 				const parentType = getArchtype(base)
-				const p = path[i]
+				const p = "" + path[i]
 				// See #738, avoid prototype pollution
 				if (
 					(parentType === Archtype.Object || parentType === Archtype.Array) &&