diff --git a/lib/index.js b/lib/index.js index 44985985..5da4f33c 100755 --- a/lib/index.js +++ b/lib/index.js @@ -115,6 +115,10 @@ exports.merge = function (target, source, isNullOverride /* = true */, isMergeAr const keys = Object.keys(source); for (let i = 0; i < keys.length; ++i) { const key = keys[i]; + if (key === '__proto__') { + continue; + } + const value = source[key]; if (value && typeof value === 'object') { diff --git a/test/index.js b/test/index.js index 45464bea..57140258 100755 --- a/test/index.js +++ b/test/index.js @@ -585,6 +585,15 @@ describe('merge()', () => { Hoek.merge({ x: {} }, a); expect(a.x.toString()).to.equal('abc'); }); + + it('skips __proto__', () => { + + const a = '{ "ok": "value", "__proto__": { "test": "value" } }'; + + const b = Hoek.merge({}, JSON.parse(a)); + expect(b).to.equal({ ok: 'value' }); + expect(b.test).to.equal(undefined); + }); }); describe('applyToDefaults()', () => {