From 5c9ebb0b5fd025622cafbf8628ac259db0642533 Mon Sep 17 00:00:00 2001
From: Timo Machel <timo-benjamin.machel@deutschebahn.com>
Date: Tue, 3 May 2022 15:31:41 +0200
Subject: [PATCH 1/2] fixed issue#33 CVE-2022-25645 added test for it

---
 package.json             |  4 ++--
 src/merge.js             |  1 +
 test/suites/pollution.js | 13 +++++++++++++
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index 9180795..c4592c7 100644
--- a/package.json
+++ b/package.json
@@ -51,8 +51,8 @@
     "set"
   ],
   "devDependencies": {
-    "bundt": "1.1.2",
+    "bundt": "1.1.5",
     "esm": "3.2.25",
-    "uvu": "0.5.1"
+    "uvu": "0.5.3"
   }
 }
diff --git a/src/merge.js b/src/merge.js
index d428b14..49f467b 100644
--- a/src/merge.js
+++ b/src/merge.js
@@ -6,6 +6,7 @@ export function merge(a, b, k) {
 			}
 		} else {
 			for (k in b) {
+				if (k === '__proto__' || k === 'constructor' || k === 'prototype') break;
 				a[k] = merge(a[k], b[k]);
 			}
 		}
diff --git a/test/suites/pollution.js b/test/suites/pollution.js
index 2bca8dd..6965213 100644
--- a/test/suites/pollution.js
+++ b/test/suites/pollution.js
@@ -85,5 +85,18 @@ export default function (dset) {
 		});
 	});
 
+	// Test for CVE-2022-25645 - CWE-1321 
+	pollution(
+		"should ignore JSON.parse crafted object including __proto__ :: provided by snyk",
+		() => {
+			var a = { b: { c: 1 } };
+			assert.is(a.polluted, undefined);
+			assert.is({}.polluted, undefined);
+			dset(a, "b", JSON.parse('{"__proto__":{"polluted":"Yes!"}}')); //Needs to craft payload with JSON.parse to keep the object key proto
+			assert.is(a.polluted, undefined);
+			assert.is({}.polluted, undefined);
+		}
+	);
+
 	pollution.run();
 }

From f96df947a467c0ace07cc24e2b33b5335fd8ee9b Mon Sep 17 00:00:00 2001
From: Luke Edwards <luke.edwards05@gmail.com>
Date: Tue, 3 May 2022 08:32:44 -0700
Subject: [PATCH 2/2] Apply suggestions from code review

---
 package.json             |  4 ++--
 test/suites/pollution.js | 19 ++++++++-----------
 2 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/package.json b/package.json
index c4592c7..9180795 100644
--- a/package.json
+++ b/package.json
@@ -51,8 +51,8 @@
     "set"
   ],
   "devDependencies": {
-    "bundt": "1.1.5",
+    "bundt": "1.1.2",
     "esm": "3.2.25",
-    "uvu": "0.5.3"
+    "uvu": "0.5.1"
   }
 }
diff --git a/test/suites/pollution.js b/test/suites/pollution.js
index 6965213..bf47756 100644
--- a/test/suites/pollution.js
+++ b/test/suites/pollution.js
@@ -86,17 +86,14 @@ export default function (dset) {
 	});
 
 	// Test for CVE-2022-25645 - CWE-1321 
-	pollution(
-		"should ignore JSON.parse crafted object including __proto__ :: provided by snyk",
-		() => {
-			var a = { b: { c: 1 } };
-			assert.is(a.polluted, undefined);
-			assert.is({}.polluted, undefined);
-			dset(a, "b", JSON.parse('{"__proto__":{"polluted":"Yes!"}}')); //Needs to craft payload with JSON.parse to keep the object key proto
-			assert.is(a.polluted, undefined);
-			assert.is({}.polluted, undefined);
-		}
-	);
+	pollution('should ignore JSON.parse crafted object with "__proto__" key', () => {
+		let a = { b: { c: 1 } };
+		assert.is(a.polluted, undefined);
+		assert.is({}.polluted, undefined);
+		dset(a, "b", JSON.parse('{"__proto__":{"polluted":"Yes!"}}'));
+		assert.is(a.polluted, undefined);
+		assert.is({}.polluted, undefined);
+	});
 
 	pollution.run();
 }