fix: Address prototype pollution vulnerability in merge function

bigpipe · Jul 5, 2021 · 29851b6 · 29851b6
1 parent 238137e
commit 29851b6
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/index.js b/index.js
@@ -282,7 +282,7 @@ function merge(target, additional) {
     each(additional, function objectForEach(key, value) {
       if (target[key] === undefined) {
         result[key] = value;
-      } else {
+      } else if (Object.hasOwnProperty.call(target, key)){
         result[key] = merge(target[key], additional[key]);
       }
     });

diff --git a/test.js b/test.js
@@ -181,4 +181,12 @@ describe('predefine', function () {
       assume(calls).to.equal(1);
     });
   });
+
+  describe('.merge', function () {
+    it('avoids prototype polluting', function () {
+      predefine.merge({}, JSON.parse('{"__proto__": {"a": "b"}}'));
+
+      assume(({}).a).to.be.undefined();
+   });
+  });
 });