From 852f282b03697dbda35f8c3b21299b229a877026 Mon Sep 17 00:00:00 2001
From: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
Date: Sun, 18 Aug 2024 19:57:05 +0200
Subject: [PATCH] sec: Fix prototype pollution in webaccess module

---
 src/node/hooks/express/webaccess.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/node/hooks/express/webaccess.ts b/src/node/hooks/express/webaccess.ts
index cb6884dc3..10547b046 100644
--- a/src/node/hooks/express/webaccess.ts
+++ b/src/node/hooks/express/webaccess.ts
@@ -177,6 +177,10 @@ const checkAccess = async (req:any, res:any, next: Function) => {
       res.status(401).send('Authentication Required');
       return;
     }
+    if (ctx.username === '__proto__' || ctx.username === 'constructor' || ctx.username === 'prototype') {
+      res.end(403);
+      return;
+    }
     settings.users[ctx.username].username = ctx.username;
     // Make a shallow copy so that the password property can be deleted (to prevent it from
     // appearing in logs or in the database) without breaking future authentication attempts.