Merge pull request #12 from ohad2712/fix/address-prototype-pollution-…

…vulnerablity-in-merge-function fix: Address prototype pollution vulnerability in merge function
bigpipe · Jan 30, 2022 · 1a86a01 · 1a86a01
2 parents 238137e + 045c1c7
commit 1a86a01
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/index.js b/index.js
@@ -282,7 +282,7 @@ function merge(target, additional) {
     each(additional, function objectForEach(key, value) {
       if (target[key] === undefined) {
         result[key] = value;
-      } else {
+      } else if (has.call(target, key)) {
         result[key] = merge(target[key], additional[key]);
       }
     });

diff --git a/test.js b/test.js
@@ -181,4 +181,12 @@ describe('predefine', function () {
       assume(calls).to.equal(1);
     });
   });
+
+  describe('.merge', function () {
+    it('avoids prototype polluting', function () {
+      predefine.merge({}, JSON.parse('{"__proto__": {"a": "b"}}'));
+
+      assume(({}).a).to.be.undefined();
+   });
+  });
 });