Ignore __proto__ fields in deepMerge() (#2779)

This resolves a security issue within @apollo/gateway. The deepMerge
function is open to a known attack vector called prototype pollution.
Prototype pollution allows a user to "pollute" Object.prototype, thereby
polluting all Objects with Object.prototype in their prototype chain.

This function is currently only in use by @apollo/gateway.

Author: trevor-scheer

packages/apollo-gateway/CHANGELOG.md

@@ -1,3 +1,7 @@
 # Changelog
 
 ### vNEXT
+
+# v0.6.2
+
+* Resolve an issue with \__proto__ pollution in deepMerge() [#2779](https://github.com/apollographql/apollo-server/pull/2779)

packages/apollo-gateway/src/utilities/__tests__/deepMerge.test.ts

@@ -0,0 +1,59 @@
+import { deepMerge } from '../deepMerge';
+
+describe('deepMerge', () => {
+  it('merges basic', () => {
+    const target = {
+      a: 1,
+      b: 2,
+    };
+
+    const source = {
+      b: 3,
+      c: 4,
+    };
+
+    expect(deepMerge(target, source)).toEqual({
+      a: 1,
+      b: 3,
+      c: 4,
+    });
+  });
+
+  it('merges nested objects', () => {
+    const target = {
+      a: 1,
+      b: {
+        someProperty: 1,
+        overwrittenProperty: 'clean',
+      },
+    };
+
+    const source = {
+      b: {
+        overwrittenProperty: 'dirty',
+        newProperty: 'new',
+      },
+      c: 4,
+    };
+
+    expect(deepMerge(target, source)).toEqual({
+      a: 1,
+      b: {
+        newProperty: 'new',
+        overwrittenProperty: 'dirty',
+        someProperty: 1,
+      },
+      c: 4,
+    });
+  });
+
+  it('ignores merging __proto__ fields', () => {
+    const target = {};
+
+    // Bypass setters on __proto__
+    const source = JSON.parse('{"__proto__": {"pollution": true}}');
+    deepMerge(target, source);
+
+    expect(Object.prototype.hasOwnProperty('pollution')).toBe(false);
+  });
+});

packages/apollo-gateway/src/utilities/deepMerge.ts

@@ -4,7 +4,7 @@ export function deepMerge(target: any, source: any): any {
   if (source === undefined || source === null) return target;
 
   for (const key of Object.keys(source)) {
-    if (source[key] === undefined) continue;
+    if (source[key] === undefined || key === '__proto__') continue;
 
     if (target[key] && isObject(source[key])) {
       deepMerge(target[key], source[key]);