Skip to content

Commit

Permalink
fix: break loop on unsafe keys;
Browse files Browse the repository at this point in the history
- Verified values w/ lodash
- Closes #22
  • Loading branch information
lukeed committed Jan 28, 2021
1 parent 5e2b4c6 commit 0a11c8a
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 14 deletions.
2 changes: 1 addition & 1 deletion src/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ export function dset(obj, keys, val) {
var i=0, l=keys.length, t=obj, x, k;
for (; i < l;) {
k = keys[i++];
if (k === '__proto__' || k === 'constructor' || k === 'prototype') continue;
if (k === '__proto__' || k === 'constructor' || k === 'prototype') break;
t = t[k] = (i === l) ? val : (typeof(x=t[k])===typeof(keys)) ? x : (keys[i]*0 !== 0 || !!~(''+keys[i]).indexOf('.')) ? {} : [];
}
}
20 changes: 7 additions & 13 deletions test/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -251,8 +251,7 @@ pollution('should protect against "__proto__" assignment', () => {

assert.equal(input.__proto__, before);
assert.equal(input, {
abc: 123,
hello: 123
abc: 123
});

assert.is.not({}.hello, 123);
Expand All @@ -269,7 +268,7 @@ pollution('should protect against "__proto__" assignment :: nested', () => {
assert.equal(input, {
abc: 123,
xyz: {
hello: 123
// empty
}
});

Expand All @@ -284,17 +283,17 @@ pollution('should ignore "prototype" assignment', () => {
dset(input, 'a.prototype.hello', 'world');

assert.is(input.a.prototype, undefined);
assert.is(input.a.hello, 'world');
assert.is(input.a.hello, undefined);

assert.equal(input, {
a: {
hello: 'world'
// converted, then aborted
}
});

assert.is(
JSON.stringify(input),
'{"a":{"hello":"world"}}'
'{"a":{}}'
);
});

Expand All @@ -319,16 +318,11 @@ pollution('should ignore "constructor" assignment :: nested', () => {

dset(input, 'constructor.prototype.hello', 'world');
assert.is(input.hasOwnProperty('constructor'), false);
assert.is(input.hasOwnProperty('hello'), true);
assert.is(input.hasOwnProperty('hello'), false);

assert.equal(input, {
hello: 'world'
// empty
});

assert.is(
JSON.stringify(input),
'{"hello":"world"}'
);
});

pollution.run();

0 comments on commit 0a11c8a

Please sign in to comment.