From cfd5fbfc32368bcf7e06d1c5985ea60e34cd4028 Mon Sep 17 00:00:00 2001 From: David Worms Date: Sun, 25 Apr 2021 23:39:08 +0200 Subject: [PATCH] fix: dont pollute object proto #1 --- CHANGELOG.md | 5 +++++ dist/mixme.cjs.js | 6 +++++- dist/mixme.esm.js | 4 ++++ dist/mixme.umd.js | 6 +++++- lib/index.js | 3 +++ src/index.coffee | 1 + test/merge.coffee | 5 +++++ test/mutate.coffee | 6 ++++++ 8 files changed, 34 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9d8803a..90bbffa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,11 @@ # Changelog +## Trunk + +* fix: dont pollute object proto #1 +* chore: latest dependencies + ## Version 0.5.0 * feat: support object with null prototype diff --git a/dist/mixme.cjs.js b/dist/mixme.cjs.js index 84da66c..c071ccf 100644 --- a/dist/mixme.cjs.js +++ b/dist/mixme.cjs.js @@ -19,7 +19,7 @@ function _typeof(obj) { } // Generated by CoffeeScript 2.5.1 -var _snake_case; +var _snake_case; exports.clone = void 0; exports.compare = void 0; exports.is_object = void 0; exports.is_object_literal = void 0; exports.merge = void 0; exports.mutate = void 0; exports.snake_case = void 0; exports.merge = function merge() { return exports.mutate.apply(void 0, [{}].concat(Array.prototype.slice.call(arguments))); @@ -50,6 +50,10 @@ exports.mutate = function mutate() { } for (name in source) { + if (name === '__proto__') { + continue; + } + target[name] = exports.mutate(target[name], source[name]); } } else if (Array.isArray(source)) { diff --git a/dist/mixme.esm.js b/dist/mixme.esm.js index 87f2cfc..e4adb55 100644 --- a/dist/mixme.esm.js +++ b/dist/mixme.esm.js @@ -46,6 +46,10 @@ _mutate = function mutate() { } for (name in source) { + if (name === '__proto__') { + continue; + } + target[name] = _mutate(target[name], source[name]); } } else if (Array.isArray(source)) { diff --git a/dist/mixme.umd.js b/dist/mixme.umd.js index 6dc309c..28adeb2 100644 --- a/dist/mixme.umd.js +++ b/dist/mixme.umd.js @@ -21,7 +21,7 @@ } // Generated by CoffeeScript 2.5.1 - var _snake_case; + var _snake_case; exports.clone = void 0; exports.compare = void 0; exports.is_object = void 0; exports.is_object_literal = void 0; exports.merge = void 0; exports.mutate = void 0; exports.snake_case = void 0; exports.merge = function merge() { return exports.mutate.apply(void 0, [{}].concat(Array.prototype.slice.call(arguments))); @@ -52,6 +52,10 @@ } for (name in source) { + if (name === '__proto__') { + continue; + } + target[name] = exports.mutate(target[name], source[name]); } } else if (Array.isArray(source)) { diff --git a/lib/index.js b/lib/index.js index 22e4f4c..261b402 100644 --- a/lib/index.js +++ b/lib/index.js @@ -27,6 +27,9 @@ mutate = function() { target = {}; } for (name in source) { + if (name === '__proto__') { + continue; + } target[name] = mutate(target[name], source[name]); } } else if (Array.isArray(source)) { diff --git a/src/index.coffee b/src/index.coffee index e7b2318..155446a 100644 --- a/src/index.coffee +++ b/src/index.coffee @@ -19,6 +19,7 @@ mutate = -> if is_object_literal source target = {} unless is_object_literal target for name of source + continue if name is '__proto__' target[name] = mutate target[name], source[name] else if Array.isArray source target = for v in source diff --git a/test/merge.coffee b/test/merge.coffee index 20f9df9..d895a32 100644 --- a/test/merge.coffee +++ b/test/merge.coffee @@ -25,3 +25,8 @@ describe 'mixme.merge', -> .should.eql a: 1, b: 2, c: 0 obj2 .should.eql a: 1, c: 3, d: 4 + + it 'dont merge proto', -> + merge {}, JSON.parse '{"__proto__": {"polluted": "ohno"}}' + obj = Object.create {} + should(obj.polluted).be.Undefined() diff --git a/test/mutate.coffee b/test/mutate.coffee index 2d7cecf..4fdde45 100644 --- a/test/mutate.coffee +++ b/test/mutate.coffee @@ -23,6 +23,12 @@ describe 'mutate', -> {...obj1} .should.eql { a: 'a value', b: 'b new', c: { d: 'd new', f: 'f value'}} + it 'dont merge proto', -> + src = {} + mutate src, JSON.parse '{"__proto__": {"polluted": "ohno"}}' + obj = Object.create {} + should(obj.polluted).be.Undefined() + describe '2nd arg not object', -> it 'object with string', ->