From 5c9ebb0b5fd025622cafbf8628ac259db0642533 Mon Sep 17 00:00:00 2001
From: Timo Machel <timo-benjamin.machel@deutschebahn.com>
Date: Tue, 3 May 2022 15:31:41 +0200
Subject: [PATCH] fixed issue#33 CVE-2022-25645 added test for it

---
 package.json             |  4 ++--
 src/merge.js             |  1 +
 test/suites/pollution.js | 13 +++++++++++++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 9180795..c4592c7 100644
--- a/package.json
+++ b/package.json
@@ -51,8 +51,8 @@
     "set"
   ],
   "devDependencies": {
-    "bundt": "1.1.2",
+    "bundt": "1.1.5",
     "esm": "3.2.25",
-    "uvu": "0.5.1"
+    "uvu": "0.5.3"
   }
 }
diff --git a/src/merge.js b/src/merge.js
index d428b14..49f467b 100644
--- a/src/merge.js
+++ b/src/merge.js
@@ -6,6 +6,7 @@ export function merge(a, b, k) {
 			}
 		} else {
 			for (k in b) {
+				if (k === '__proto__' || k === 'constructor' || k === 'prototype') break;
 				a[k] = merge(a[k], b[k]);
 			}
 		}
diff --git a/test/suites/pollution.js b/test/suites/pollution.js
index 2bca8dd..6965213 100644
--- a/test/suites/pollution.js
+++ b/test/suites/pollution.js
@@ -85,5 +85,18 @@ export default function (dset) {
 		});
 	});
 
+	// Test for CVE-2022-25645 - CWE-1321 
+	pollution(
+		"should ignore JSON.parse crafted object including __proto__ :: provided by snyk",
+		() => {
+			var a = { b: { c: 1 } };
+			assert.is(a.polluted, undefined);
+			assert.is({}.polluted, undefined);
+			dset(a, "b", JSON.parse('{"__proto__":{"polluted":"Yes!"}}')); //Needs to craft payload with JSON.parse to keep the object key proto
+			assert.is(a.polluted, undefined);
+			assert.is({}.polluted, undefined);
+		}
+	);
+
 	pollution.run();
 }