From 787e85605ccb50179fec18f73e8bc5a8750724aa Mon Sep 17 00:00:00 2001
From: Iain Sproat <68657+iainsproat@users.noreply.github.com>
Date: Mon, 20 Feb 2023 15:03:02 +0000
Subject: [PATCH] fix(security): prevent potential prototype pollution via
 request body filter (#1388)

* fix(security): prevent potential pollution of request body being executed

* An array is expected
---
 packages/server/modules/blobstorage/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/server/modules/blobstorage/index.js b/packages/server/modules/blobstorage/index.js
index 300406e03..4caf017de 100644
--- a/packages/server/modules/blobstorage/index.js
+++ b/packages/server/modules/blobstorage/index.js
@@ -182,7 +182,7 @@ exports.init = async (app) => {
       }
 
       const bq = await getAllStreamBlobIds({ streamId: req.params.streamId })
-      const unknownBlobIds = req.body.filter(
+      const unknownBlobIds = [...req.body].filter(
         (id) => bq.findIndex((bInfo) => bInfo.id === id) === -1
       )
       res.send(unknownBlobIds)