Skip to content

Commit

Permalink
skip assignment to __proto__
Browse files Browse the repository at this point in the history
nlf committed Feb 6, 2018

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent dfadda7 commit 32ed5c9
Showing 2 changed files with 13 additions and 0 deletions.
4 changes: 4 additions & 0 deletions lib/index.js
Original file line number Diff line number Diff line change
@@ -115,6 +115,10 @@ exports.merge = function (target, source, isNullOverride /* = true */, isMergeAr
const keys = Object.keys(source);
for (let i = 0; i < keys.length; ++i) {
const key = keys[i];
if (key === '__proto__') {
continue;
}

const value = source[key];
if (value &&
typeof value === 'object') {
9 changes: 9 additions & 0 deletions test/index.js
Original file line number Diff line number Diff line change
@@ -585,6 +585,15 @@ describe('merge()', () => {
Hoek.merge({ x: {} }, a);
expect(a.x.toString()).to.equal('abc');
});

it('skips __proto__', () => {

const a = '{ "ok": "value", "__proto__": { "test": "value" } }';

const b = Hoek.merge({}, JSON.parse(a));
expect(b).to.equal({ ok: 'value' });
expect(b.test).to.equal(undefined);
});
});

describe('applyToDefaults()', () => {

0 comments on commit 32ed5c9

Please sign in to comment.