41 lines
1.3 KiB
Diff
41 lines
1.3 KiB
Diff
From 38a4d1caead72ef99e824bb420a2528eec03d9ab Mon Sep 17 00:00:00 2001
|
|
From: substack <substack@bits.coop>
|
|
Date: Tue, 10 Mar 2020 09:08:00 -1000
|
|
Subject: [PATCH] even more aggressive checks for protocol pollution
|
|
|
|
---
|
|
index.js | 13 +++++++++++--
|
|
1 file changed, 11 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/index.js b/index.js
|
|
index 6a0559d..cfdf0a5 100644
|
|
--- a/index.js
|
|
+++ b/index.js
|
|
@@ -68,12 +68,21 @@ module.exports = function (args, opts) {
|
|
|
|
function setKey (obj, keys, value) {
|
|
var o = obj;
|
|
- keys.slice(0,-1).forEach(function (key) {
|
|
+ for (var i = 0; i < keys.length-1; i++) {
|
|
+ var key = keys[i];
|
|
+ if (key === '__proto__') return;
|
|
if (o[key] === undefined) o[key] = {};
|
|
+ if (o[key] === Object.prototype || o[key] === Number.prototype
|
|
+ || o[key] === String.prototype) o[key] = {};
|
|
+ if (o[key] === Array.prototype) o[key] = [];
|
|
o = o[key];
|
|
- });
|
|
+ }
|
|
|
|
var key = keys[keys.length - 1];
|
|
+ if (key === '__proto__') return;
|
|
+ if (o === Object.prototype || o === Number.prototype
|
|
+ || o === String.prototype) o = {};
|
|
+ if (o === Array.prototype) o = [];
|
|
if (o[key] === undefined || flags.bools[key] || typeof o[key] === 'boolean') {
|
|
o[key] = value;
|
|
}
|
|
--
|
|
2.23.0
|
|
|