From e4858f9d5f447ba6162ca9f2472608a8bac3eca7 Mon Sep 17 00:00:00 2001
From: Eduardo San Martin Morote <posva13@gmail.com>
Date: Thu, 31 Mar 2022 12:05:09 +0200
Subject: [PATCH] fix: avoid prototype pollution

---
 packages/pinia/src/store.ts     | 2 ++
 packages/testing/src/testing.ts | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/packages/pinia/src/store.ts b/packages/pinia/src/store.ts
index 5a23b47537..5aad26e81f 100644
--- a/packages/pinia/src/store.ts
+++ b/packages/pinia/src/store.ts
@@ -59,11 +59,13 @@ function mergeReactiveObjects<T extends StateTree>(
 ): T {
   // no need to go through symbols because they cannot be serialized anyway
   for (const key in patchToApply) {
+    if (!patchToApply.hasOwnProperty(key)) continue
     const subPatch = patchToApply[key]
     const targetValue = target[key]
     if (
       isPlainObject(targetValue) &&
       isPlainObject(subPatch) &&
+      target.hasOwnProperty(key) &&
       !isRef(subPatch) &&
       !isReactive(subPatch)
     ) {
diff --git a/packages/testing/src/testing.ts b/packages/testing/src/testing.ts
index cef0bb333a..0eb594cd2b 100644
--- a/packages/testing/src/testing.ts
+++ b/packages/testing/src/testing.ts
@@ -139,11 +139,13 @@ function mergeReactiveObjects<T extends StateTree>(
 ): T {
   // no need to go through symbols because they cannot be serialized anyway
   for (const key in patchToApply) {
+    if (!patchToApply.hasOwnProperty(key)) continue
     const subPatch = patchToApply[key]
     const targetValue = target[key]
     if (
       isPlainObject(targetValue) &&
       isPlainObject(subPatch) &&
+      target.hasOwnProperty(key) &&
       !isRef(subPatch) &&
       !isReactive(subPatch)
     ) {