fix: security vulnerability that allows remote code execution (GHSA-p6h4-93qp-jhcm) (#7844)

src/Utils.js

@@ -332,6 +332,32 @@ class Utils {
       };
     }
   }
+
+  /**
+   * Deep-scans an object for a matching key/value definition.
+   * @param {Object} obj The object to scan.
+   * @param {String | undefined} key The key to match, or undefined if only the value should be matched.
+   * @param {any | undefined} value The value to match, or undefined if only the key should be matched.
+   * @returns {Boolean} True if a match was found, false otherwise.
+   */
+  static objectContainsKeyValue(obj, key, value) {
+    const isMatch = (a, b) => (typeof a === 'string' && new RegExp(a).test(b)) || a === b;
+    const isKeyMatch = k => isMatch(key, k);
+    const isValueMatch = v => isMatch(value, v);
+    for (const [k, v] of Object.entries(obj)) {
+      if (key !== undefined && value === undefined && isKeyMatch(k)) {
+        return true;
+      } else if (key === undefined && value !== undefined && isValueMatch(v)) {
+        return true;
+      } else if (key !== undefined && value !== undefined && isKeyMatch(k) && isValueMatch(v)) {
+        return true;
+      }
+      if (['[object Object]', '[object Array]'].includes(Object.prototype.toString.call(v))) {
+        return Utils.objectContainsKeyValue(v, key, value);
+      }
+    }
+    return false;
+  }
 }
 
 module.exports = Utils;