From c4a4dd5682b266192369f1a09c3426bb3586144b Mon Sep 17 00:00:00 2001
From: Rob Halff <rob.halff@gmail.com>
Date: Sun, 16 Feb 2020 19:15:35 +0100
Subject: [PATCH] prepare v2.1.3

---
 CHANGELOG.md           |   3 +
 bower.json             |   2 +-
 dist/dot-object.js     | 122 ++++++++++++++++++++++++-----------------
 dist/dot-object.min.js |   2 +-
 index.js               |   7 ++-
 package.json           |   2 +-
 src/dot-object.js      |   7 ++-
 7 files changed, 85 insertions(+), 60 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8ea1fb5..5735436 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,8 @@
 # ChangeLog
 
+## 2020-16-02 Version 2.1.3
+* fix possible pollution of prototype for paths containing __proto__
+
 ## 2019-11-02 Version 2.1.1
 * fix undefined key with root level array.
 
diff --git a/bower.json b/bower.json
index e3686db..ce2bb83 100644
--- a/bower.json
+++ b/bower.json
@@ -1,6 +1,6 @@
 {
   "name": "dot-object",
-  "version": "2.1.2",
+  "version": "2.1.3",
   "description": "dot-object makes it possible to transform and read (JSON) objects using dot notation.",
   "main": "dist/dot-object.js",
   "authors": [
diff --git a/dist/dot-object.js b/dist/dot-object.js
index 208a405..32d457d 100644
--- a/dist/dot-object.js
+++ b/dist/dot-object.js
@@ -46,11 +46,25 @@
         return Object.keys(val).length === 0
     }
 
+    var blacklist = ['__proto__', 'prototype', 'constructor']
+    var blacklistFilter = function(part) {
+        return blacklist.indexOf(part) === -1
+    }
+
     function parsePath(path, sep) {
         if (path.indexOf('[') >= 0) {
             path = path.replace(/\[/g, '.').replace(/]/g, '')
         }
-        return path.split(sep)
+
+        var parts = path.split(sep)
+
+        var check = parts.filter(blacklistFilter)
+
+        if (check.length !== parts.length) {
+            throw Error('Refusing to update blacklisted property ' + path)
+        }
+
+        return parts
     }
 
     var hasOwnProperty = Object.prototype.hasOwnProperty
@@ -85,8 +99,7 @@
         var k = a.shift()
 
         if (a.length > 0) {
-            obj[k] = obj[k] ||
-                (this.useArray && isIndex(a[0]) ? [] : {})
+            obj[k] = obj[k] || (this.useArray && isIndex(a[0]) ? [] : {})
 
             if (!isArrayOrObject(obj[k])) {
                 if (this.override) {
@@ -104,8 +117,7 @@
 
             this._fill(a, obj[k], v, mod)
         } else {
-            if (!this.override &&
-                isArrayOrObject(obj[k]) && !isEmptyObject(obj[k])) {
+            if (!this.override && isArrayOrObject(obj[k]) && !isEmptyObject(obj[k])) {
                 if (!(isArrayOrObject(v) && isEmptyObject(v))) {
                     throw new Error("Trying to redefine non-empty obj['" + k + "']")
                 }
@@ -197,7 +209,7 @@
         for (i = 0; i < keys.length; i++) {
             key = parseKey(keys[i], obj)
             if (obj && typeof obj === 'object' && key in obj) {
-                if (i === (keys.length - 1)) {
+                if (i === keys.length - 1) {
                     if (remove) {
                         val = obj[key]
                         if (reindexArray && Array.isArray(obj)) {
@@ -342,13 +354,21 @@
      * @param {Function|Array} mods
      * @param {Boolean} merge
      */
-    DotObject.prototype.transfer = function(source, target, obj1, obj2, mods, merge) {
+    DotObject.prototype.transfer = function(
+        source,
+        target,
+        obj1,
+        obj2,
+        mods,
+        merge
+    ) {
         if (typeof mods === 'function' || Array.isArray(mods)) {
-            this.set(target,
-                _process(
-                    this.pick(source, obj1, true),
-                    mods
-                ), obj2, merge)
+            this.set(
+                target,
+                _process(this.pick(source, obj1, true), mods),
+                obj2,
+                merge
+            )
         } else {
             merge = mods
             this.set(target, this.pick(source, obj1, true), obj2, merge)
@@ -373,16 +393,16 @@
      */
     DotObject.prototype.copy = function(source, target, obj1, obj2, mods, merge) {
         if (typeof mods === 'function' || Array.isArray(mods)) {
-            this.set(target,
+            this.set(
+                target,
                 _process(
                     // clone what is picked
-                    JSON.parse(
-                        JSON.stringify(
-                            this.pick(source, obj1, false)
-                        )
-                    ),
+                    JSON.parse(JSON.stringify(this.pick(source, obj1, false))),
                     mods
-                ), obj2, merge)
+                ),
+                obj2,
+                merge
+            )
         } else {
             merge = mods
             this.set(target, this.pick(source, obj1, false), obj2, merge)
@@ -414,7 +434,7 @@
 
         for (i = 0; i < keys.length; i++) {
             key = keys[i]
-            if (i === (keys.length - 1)) {
+            if (i === keys.length - 1) {
                 if (merge && isObject(val) && isObject(obj[key])) {
                     for (k in val) {
                         if (hasOwnProperty.call(val, k)) {
@@ -472,9 +492,11 @@
     DotObject.prototype.transform = function(recipe, obj, tgt) {
         obj = obj || {}
         tgt = tgt || {}
-        Object.keys(recipe).forEach(function(key) {
-            this.set(recipe[key], this.pick(key, obj), tgt)
-        }.bind(this))
+        Object.keys(recipe).forEach(
+            function(key) {
+                this.set(recipe[key], this.pick(key, obj), tgt)
+            }.bind(this)
+        )
         return tgt
     }
 
@@ -500,31 +522,33 @@
         path = path || []
         var isArray = Array.isArray(obj)
 
-        Object.keys(obj).forEach(function(key) {
-            var index = isArray && this.useBrackets ? '[' + key + ']' : key
-            if (
-                (
+        Object.keys(obj).forEach(
+            function(key) {
+                var index = isArray && this.useBrackets ? '[' + key + ']' : key
+                if (
                     isArrayOrObject(obj[key]) &&
-                    (
-                        (isObject(obj[key]) && !isEmptyObject(obj[key])) ||
-                        (Array.isArray(obj[key]) && (!this.keepArray && (obj[key].length !== 0)))
-                    )
-                )
-            ) {
-                if (isArray && this.useBrackets) {
-                    var previousKey = path[path.length - 1] || ''
-                    return this.dot(obj[key], tgt, path.slice(0, -1).concat(previousKey + index))
-                } else {
-                    return this.dot(obj[key], tgt, path.concat(index))
-                }
-            } else {
-                if (isArray && this.useBrackets) {
-                    tgt[path.join(this.separator).concat('[' + key + ']')] = obj[key]
+                    ((isObject(obj[key]) && !isEmptyObject(obj[key])) ||
+                        (Array.isArray(obj[key]) && !this.keepArray && obj[key].length !== 0))
+                ) {
+                    if (isArray && this.useBrackets) {
+                        var previousKey = path[path.length - 1] || ''
+                        return this.dot(
+                            obj[key],
+                            tgt,
+                            path.slice(0, -1).concat(previousKey + index)
+                        )
+                    } else {
+                        return this.dot(obj[key], tgt, path.concat(index))
+                    }
                 } else {
-                    tgt[path.concat(index).join(this.separator)] = obj[key]
+                    if (isArray && this.useBrackets) {
+                        tgt[path.join(this.separator).concat('[' + key + ']')] = obj[key]
+                    } else {
+                        tgt[path.concat(index).join(this.separator)] = obj[key]
+                    }
                 }
-            }
-        }.bind(this))
+            }.bind(this)
+        )
         return tgt
     }
 
@@ -538,9 +562,7 @@
     DotObject.set = wrap('set')
     DotObject.delete = wrap('delete')
     DotObject.del = DotObject.remove = wrap('remove')
-    DotObject.dot = wrap('dot')
-
-    ;
+    DotObject.dot = wrap('dot');
     ['override', 'overwrite'].forEach(function(prop) {
         Object.defineProperty(DotObject, prop, {
             get: function() {
@@ -550,9 +572,7 @@
                 dotDefault.override = !!val
             }
         })
-    })
-
-    ;
+    });
     ['useArray', 'keepArray', 'useBrackets'].forEach(function(prop) {
         Object.defineProperty(DotObject, prop, {
             get: function() {
diff --git a/dist/dot-object.min.js b/dist/dot-object.min.js
index 356a592..a7cdf42 100644
--- a/dist/dot-object.min.js
+++ b/dist/dot-object.min.js
@@ -1 +1 @@
-!function(t){"use strict";function s(t,r){var e,i;if("function"==typeof r)void 0!==(i=r(t))&&(t=i);else if(Array.isArray(r))for(e=0;e<r.length;e++)void 0!==(i=r[e](t))&&(t=i);return t}function f(t){return"[object Object]"===Object.prototype.toString.call(t)}function a(t){return Object(t)===t}function c(t){return 0===Object.keys(t).length}function u(t,r){return 0<=t.indexOf("[")&&(t=t.replace(/\[/g,".").replace(/]/g,"")),t.split(r)}var p=Object.prototype.hasOwnProperty;function n(t,r,e,i){if(!(this instanceof n))return new n(t,r,e,i);void 0===r&&(r=!1),void 0===e&&(e=!0),void 0===i&&(i=!0),this.separator=t||".",this.override=r,this.useArray=e,this.useBrackets=i,this.keepArray=!1,this.cleanup=[]}var e=new n(".",!1,!0,!0);function r(t){return function(){return e[t].apply(e,arguments)}}n.prototype._fill=function(t,r,e,i){var n=t.shift();if(0<t.length){if(r[n]=r[n]||(this.useArray&&function(t){return/^\d+$/.test(t)}(t[0])?[]:{}),!a(r[n])){if(!this.override){if(!a(e)||!c(e))throw new Error("Trying to redefine `"+n+"` which is a "+typeof r[n]);return}r[n]={}}this._fill(t,r[n],e,i)}else{if(!this.override&&a(r[n])&&!c(r[n])){if(!a(e)||!c(e))throw new Error("Trying to redefine non-empty obj['"+n+"']");return}r[n]=s(e,i)}},n.prototype.object=function(i,n){var o=this;return Object.keys(i).forEach(function(t){var r=void 0===n?null:n[t],e=u(t,o.separator).join(o.separator);-1!==e.indexOf(o.separator)?(o._fill(e.split(o.separator),i,i[t],r),delete i[t]):i[t]=s(i[t],r)}),i},n.prototype.str=function(t,r,e,i){var n=u(t,this.separator).join(this.separator);return-1!==t.indexOf(this.separator)?this._fill(n.split(this.separator),e,r,i):e[t]=s(r,i),e},n.prototype.pick=function(t,r,e,i){var n,o,s,a,c,f,p;for(o=u(t,this.separator),n=0;n<o.length;n++){if(f=o[n],p=r,a="-"===f[0]&&Array.isArray(p)&&/^-\d+$/.test(f)?p.length+parseInt(f,10):f,!(r&&"object"==typeof r&&a in r))return;if(n===o.length-1)return e?(s=r[a],i&&Array.isArray(r)?r.splice(a,1):delete r[a],Array.isArray(r)&&(c=o.slice(0,-1).join("."),-1===this.cleanup.indexOf(c)&&this.cleanup.push(c)),s):r[a];r=r[a]}return e&&Array.isArray(r)&&(r=r.filter(function(t){return void 0!==t})),r},n.prototype.delete=function(t,r){return this.remove(t,r,!0)},n.prototype.remove=function(t,r,e){var i;if(this.cleanup=[],Array.isArray(t)){for(i=0;i<t.length;i++)this.pick(t[i],r,!0,e);return e||this._cleanup(r),r}return this.pick(t,r,!0,e)},n.prototype._cleanup=function(t){var r,e,i,n;if(this.cleanup.length){for(e=0;e<this.cleanup.length;e++)r=(r=(n=(i=this.cleanup[e].split(".")).splice(0,-1).join("."))?this.pick(n,t):t)[i[0]].filter(function(t){return void 0!==t}),this.set(this.cleanup[e],r,t);this.cleanup=[]}},n.prototype.del=n.prototype.remove,n.prototype.move=function(t,r,e,i,n){return"function"==typeof i||Array.isArray(i)?this.set(r,s(this.pick(t,e,!0),i),e,n):(n=i,this.set(r,this.pick(t,e,!0),e,n)),e},n.prototype.transfer=function(t,r,e,i,n,o){return"function"==typeof n||Array.isArray(n)?this.set(r,s(this.pick(t,e,!0),n),i,o):(o=n,this.set(r,this.pick(t,e,!0),i,o)),i},n.prototype.copy=function(t,r,e,i,n,o){return"function"==typeof n||Array.isArray(n)?this.set(r,s(JSON.parse(JSON.stringify(this.pick(t,e,!1))),n),i,o):(o=n,this.set(r,this.pick(t,e,!1),i,o)),i},n.prototype.set=function(t,r,e,i){var n,o,s,a;if(void 0===r)return e;for(s=u(t,this.separator),n=0;n<s.length;n++){if(a=s[n],n===s.length-1)if(i&&f(r)&&f(e[a]))for(o in r)p.call(r,o)&&(e[a][o]=r[o]);else if(i&&Array.isArray(e[a])&&Array.isArray(r))for(var c=0;c<r.length;c++)e[s[n]].push(r[c]);else e[a]=r;else p.call(e,a)&&(f(e[a])||Array.isArray(e[a]))||(/^\d+$/.test(s[n+1])?e[a]=[]:e[a]={});e=e[a]}return e},n.prototype.transform=function(r,e,i){return e=e||{},i=i||{},Object.keys(r).forEach(function(t){this.set(r[t],this.pick(t,e),i)}.bind(this)),i},n.prototype.dot=function(i,n,o){n=n||{},o=o||[];var s=Array.isArray(i);return Object.keys(i).forEach(function(t){var r=s&&this.useBrackets?"["+t+"]":t;if(a(i[t])&&(f(i[t])&&!c(i[t])||Array.isArray(i[t])&&!this.keepArray&&0!==i[t].length)){if(s&&this.useBrackets){var e=o[o.length-1]||"";return this.dot(i[t],n,o.slice(0,-1).concat(e+r))}return this.dot(i[t],n,o.concat(r))}s&&this.useBrackets?n[o.join(this.separator).concat("["+t+"]")]=i[t]:n[o.concat(r).join(this.separator)]=i[t]}.bind(this)),n},n.pick=r("pick"),n.move=r("move"),n.transfer=r("transfer"),n.transform=r("transform"),n.copy=r("copy"),n.object=r("object"),n.str=r("str"),n.set=r("set"),n.delete=r("delete"),n.del=n.remove=r("remove"),n.dot=r("dot"),["override","overwrite"].forEach(function(t){Object.defineProperty(n,t,{get:function(){return e.override},set:function(t){e.override=!!t}})}),["useArray","keepArray","useBrackets"].forEach(function(r){Object.defineProperty(n,r,{get:function(){return e[r]},set:function(t){e[r]=t}})}),n._process=s,"function"==typeof define&&define.amd?define(function(){return n}):"undefined"!=typeof module&&module.exports?module.exports=n:t.DotObject=n}(this);
\ No newline at end of file
+!function(t){"use strict";function s(t,r){var e,i;if("function"==typeof r)void 0!==(i=r(t))&&(t=i);else if(Array.isArray(r))for(e=0;e<r.length;e++)void 0!==(i=r[e](t))&&(t=i);return t}function p(t){return"[object Object]"===Object.prototype.toString.call(t)}function a(t){return Object(t)===t}function c(t){return 0===Object.keys(t).length}function i(t){return-1===r.indexOf(t)}var r=["__proto__","prototype","constructor"];function u(t,r){0<=t.indexOf("[")&&(t=t.replace(/\[/g,".").replace(/]/g,""));var e=t.split(r);if(e.filter(i).length!==e.length)throw Error("Refusing to update blacklisted property "+t);return e}var f=Object.prototype.hasOwnProperty;function n(t,r,e,i){if(!(this instanceof n))return new n(t,r,e,i);void 0===r&&(r=!1),void 0===e&&(e=!0),void 0===i&&(i=!0),this.separator=t||".",this.override=r,this.useArray=e,this.useBrackets=i,this.keepArray=!1,this.cleanup=[]}var e=new n(".",!1,!0,!0);function o(t){return function(){return e[t].apply(e,arguments)}}n.prototype._fill=function(t,r,e,i){var n=t.shift();if(0<t.length){if(r[n]=r[n]||(this.useArray&&function(t){return/^\d+$/.test(t)}(t[0])?[]:{}),!a(r[n])){if(!this.override){if(!a(e)||!c(e))throw new Error("Trying to redefine `"+n+"` which is a "+typeof r[n]);return}r[n]={}}this._fill(t,r[n],e,i)}else{if(!this.override&&a(r[n])&&!c(r[n])){if(!a(e)||!c(e))throw new Error("Trying to redefine non-empty obj['"+n+"']");return}r[n]=s(e,i)}},n.prototype.object=function(i,n){var o=this;return Object.keys(i).forEach(function(t){var r=void 0===n?null:n[t],e=u(t,o.separator).join(o.separator);-1!==e.indexOf(o.separator)?(o._fill(e.split(o.separator),i,i[t],r),delete i[t]):i[t]=s(i[t],r)}),i},n.prototype.str=function(t,r,e,i){var n=u(t,this.separator).join(this.separator);return-1!==t.indexOf(this.separator)?this._fill(n.split(this.separator),e,r,i):e[t]=s(r,i),e},n.prototype.pick=function(t,r,e,i){var n,o,s,a,c,p,f;for(o=u(t,this.separator),n=0;n<o.length;n++){if(p=o[n],f=r,a="-"===p[0]&&Array.isArray(f)&&/^-\d+$/.test(p)?f.length+parseInt(p,10):p,!(r&&"object"==typeof r&&a in r))return;if(n===o.length-1)return e?(s=r[a],i&&Array.isArray(r)?r.splice(a,1):delete r[a],Array.isArray(r)&&(c=o.slice(0,-1).join("."),-1===this.cleanup.indexOf(c)&&this.cleanup.push(c)),s):r[a];r=r[a]}return e&&Array.isArray(r)&&(r=r.filter(function(t){return void 0!==t})),r},n.prototype.delete=function(t,r){return this.remove(t,r,!0)},n.prototype.remove=function(t,r,e){var i;if(this.cleanup=[],Array.isArray(t)){for(i=0;i<t.length;i++)this.pick(t[i],r,!0,e);return e||this._cleanup(r),r}return this.pick(t,r,!0,e)},n.prototype._cleanup=function(t){var r,e,i,n;if(this.cleanup.length){for(e=0;e<this.cleanup.length;e++)r=(r=(n=(i=this.cleanup[e].split(".")).splice(0,-1).join("."))?this.pick(n,t):t)[i[0]].filter(function(t){return void 0!==t}),this.set(this.cleanup[e],r,t);this.cleanup=[]}},n.prototype.del=n.prototype.remove,n.prototype.move=function(t,r,e,i,n){return"function"==typeof i||Array.isArray(i)?this.set(r,s(this.pick(t,e,!0),i),e,n):(n=i,this.set(r,this.pick(t,e,!0),e,n)),e},n.prototype.transfer=function(t,r,e,i,n,o){return"function"==typeof n||Array.isArray(n)?this.set(r,s(this.pick(t,e,!0),n),i,o):(o=n,this.set(r,this.pick(t,e,!0),i,o)),i},n.prototype.copy=function(t,r,e,i,n,o){return"function"==typeof n||Array.isArray(n)?this.set(r,s(JSON.parse(JSON.stringify(this.pick(t,e,!1))),n),i,o):(o=n,this.set(r,this.pick(t,e,!1),i,o)),i},n.prototype.set=function(t,r,e,i){var n,o,s,a;if(void 0===r)return e;for(s=u(t,this.separator),n=0;n<s.length;n++){if(a=s[n],n===s.length-1)if(i&&p(r)&&p(e[a]))for(o in r)f.call(r,o)&&(e[a][o]=r[o]);else if(i&&Array.isArray(e[a])&&Array.isArray(r))for(var c=0;c<r.length;c++)e[s[n]].push(r[c]);else e[a]=r;else f.call(e,a)&&(p(e[a])||Array.isArray(e[a]))||(/^\d+$/.test(s[n+1])?e[a]=[]:e[a]={});e=e[a]}return e},n.prototype.transform=function(r,e,i){return e=e||{},i=i||{},Object.keys(r).forEach(function(t){this.set(r[t],this.pick(t,e),i)}.bind(this)),i},n.prototype.dot=function(i,n,o){n=n||{},o=o||[];var s=Array.isArray(i);return Object.keys(i).forEach(function(t){var r=s&&this.useBrackets?"["+t+"]":t;if(a(i[t])&&(p(i[t])&&!c(i[t])||Array.isArray(i[t])&&!this.keepArray&&0!==i[t].length)){if(s&&this.useBrackets){var e=o[o.length-1]||"";return this.dot(i[t],n,o.slice(0,-1).concat(e+r))}return this.dot(i[t],n,o.concat(r))}s&&this.useBrackets?n[o.join(this.separator).concat("["+t+"]")]=i[t]:n[o.concat(r).join(this.separator)]=i[t]}.bind(this)),n},n.pick=o("pick"),n.move=o("move"),n.transfer=o("transfer"),n.transform=o("transform"),n.copy=o("copy"),n.object=o("object"),n.str=o("str"),n.set=o("set"),n.delete=o("delete"),n.del=n.remove=o("remove"),n.dot=o("dot"),["override","overwrite"].forEach(function(t){Object.defineProperty(n,t,{get:function(){return e.override},set:function(t){e.override=!!t}})}),["useArray","keepArray","useBrackets"].forEach(function(r){Object.defineProperty(n,r,{get:function(){return e[r]},set:function(t){e[r]=t}})}),n._process=s,"function"==typeof define&&define.amd?define(function(){return n}):"undefined"!=typeof module&&module.exports?module.exports=n:t.DotObject=n}(this);
\ No newline at end of file
diff --git a/index.js b/index.js
index ae87252..62044a4 100644
--- a/index.js
+++ b/index.js
@@ -45,16 +45,17 @@ function isEmptyObject (val) {
   return Object.keys(val).length === 0
 }
 
-const blacklist = ['__proto__', 'prototype', 'constructor']
+var blacklist = ['__proto__', 'prototype', 'constructor']
+var blacklistFilter = function (part) { return blacklist.indexOf(part) === -1 }
 
 function parsePath (path, sep) {
   if (path.indexOf('[') >= 0) {
     path = path.replace(/\[/g, '.').replace(/]/g, '')
   }
 
-  const parts = path.split(sep)
+  var parts = path.split(sep)
 
-  const check = parts.filter(part => blacklist.indexOf(part) === -1)
+  var check = parts.filter(blacklistFilter)
 
   if (check.length !== parts.length) {
     throw Error('Refusing to update blacklisted property ' + path)
diff --git a/package.json b/package.json
index 1a64564..3162967 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "dot-object",
   "description": "dot-object makes it possible to transform and read (JSON) objects using dot notation.",
-  "version": "2.1.2",
+  "version": "2.1.3",
   "author": {
     "name": "Rob Halff",
     "email": "rob.halff@gmail.com"
diff --git a/src/dot-object.js b/src/dot-object.js
index a7f5c9e..6a3a0e5 100644
--- a/src/dot-object.js
+++ b/src/dot-object.js
@@ -45,16 +45,17 @@ function isEmptyObject (val) {
   return Object.keys(val).length === 0
 }
 
-const blacklist = ['__proto__', 'prototype', 'constructor']
+var blacklist = ['__proto__', 'prototype', 'constructor']
+var blacklistFilter = function (part) { return blacklist.indexOf(part) === -1 }
 
 function parsePath (path, sep) {
   if (path.indexOf('[') >= 0) {
     path = path.replace(/\[/g, '.').replace(/]/g, '')
   }
 
-  const parts = path.split(sep)
+  var parts = path.split(sep)
 
-  const check = parts.filter(part => blacklist.indexOf(part) === -1)
+  var check = parts.filter(blacklistFilter)
 
   if (check.length !== parts.length) {
     throw Error('Refusing to update blacklisted property ' + path)