From 29851b6a8e7090b4ddf05d7533479c25051eac3b Mon Sep 17 00:00:00 2001
From: ohad2712 <ohad.finkelstein@snyk.io>
Date: Mon, 5 Jul 2021 17:11:44 +0300
Subject: [PATCH] fix: Address prototype pollution vulnerability in merge
 function

---
 index.js | 2 +-
 test.js  | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/index.js b/index.js
index c7689b0..6a99a08 100644
--- a/index.js
+++ b/index.js
@@ -282,7 +282,7 @@ function merge(target, additional) {
     each(additional, function objectForEach(key, value) {
       if (target[key] === undefined) {
         result[key] = value;
-      } else {
+      } else if (Object.hasOwnProperty.call(target, key)){
         result[key] = merge(target[key], additional[key]);
       }
     });
diff --git a/test.js b/test.js
index d45b961..cb71a38 100644
--- a/test.js
+++ b/test.js
@@ -181,4 +181,12 @@ describe('predefine', function () {
       assume(calls).to.equal(1);
     });
   });
+
+  describe('.merge', function () {
+    it('avoids prototype polluting', function () {
+      predefine.merge({}, JSON.parse('{"__proto__": {"a": "b"}}'));
+
+      assume(({}).a).to.be.undefined();
+   });
+  });
 });