From ef36ea699901c68b3996f4a5864d9259f68be306 Mon Sep 17 00:00:00 2001
From: Dragory <2606411+Dragory@users.noreply.github.com>
Date: Sat, 1 Apr 2023 22:13:48 +0300
Subject: [PATCH] fix: additional checks for tag set/get

---
 backend/src/plugins/Tags/util/renderTagBody.ts | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/backend/src/plugins/Tags/util/renderTagBody.ts b/backend/src/plugins/Tags/util/renderTagBody.ts
index d8aef998..a321360d 100644
--- a/backend/src/plugins/Tags/util/renderTagBody.ts
+++ b/backend/src/plugins/Tags/util/renderTagBody.ts
@@ -6,6 +6,9 @@ import { findTagByName } from "./findTagByName";
 
 const MAX_TAG_FN_CALLS = 25;
 
+// This is used to disallow setting/getting default object properties (such as __proto__) in dynamicVars
+const emptyObject = {};
+
 export async function renderTagBody(
   pluginData: GuildPluginData<TagsPluginType>,
   body: TTag,
@@ -22,15 +25,19 @@ export async function renderTagBody(
     ...pluginData.state.tagFunctions,
     set(name, val) {
       if (typeof name !== "string") return;
+      if (emptyObject[name]) return;
       dynamicVars[name] = val;
     },
     setr(name, val) {
       if (typeof name !== "string") return "";
+      if (emptyObject[name]) return;
       dynamicVars[name] = val;
       return val;
     },
     get(name) {
-      return !dynamicVars.hasOwnProperty(name) || dynamicVars[name] == null ? "" : dynamicVars[name];
+      if (typeof name !== "string") return "";
+      if (emptyObject[name]) return;
+      return !Object.hasOwn(dynamicVars, name) || dynamicVars[name] == null ? "" : dynamicVars[name];
     },
     tag: async (name, ...subTagArgs) => {
       if (++tagFnCallsObj.calls > MAX_TAG_FN_CALLS) return "";