fix(core): Ensure .service does not access Object properties (#3235)

daffl · web-flow · commit c0b670ac4c7b · 2023-07-14T11:11:03.000-07:00
diff --git a/packages/feathers/src/application.ts b/packages/feathers/src/application.ts
@@ -62,7 +62,7 @@ export class Feathers<Services, Settings>
     location: L
   ): FeathersService<this, keyof any extends keyof Services ? Service : Services[L]> {
     const path = (stripSlashes(location) || '/') as L
-    const current = this.services[path]
+    const current = this.services.hasOwnProperty(path) ? this.services[path] : undefined
 
     if (typeof current === 'undefined') {
       this.use(path, this.defaultService(path) as any)
diff --git a/packages/feathers/test/application.test.ts b/packages/feathers/test/application.test.ts
@@ -306,6 +306,20 @@ describe('Feathers application', () => {
 
       assert.ok((wrappedService.create as any)[TEST])
     })
+
+    it('.service does does not access object properties', async () => {
+      const app = feathers()
+
+      assert.throws(() => app.service('something'), {
+        message: "Can not find service 'something'"
+      })
+      assert.throws(() => app.service('__proto__'), {
+        message: "Can not find service '__proto__'"
+      })
+      assert.throws(() => app.service('toString'), {
+        message: "Can not find service 'toString'"
+      })
+    })
   })
 
   describe('Express app options compatibility', function () {
