Fix prototype pollution

[alromh87]

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-merge

⚙️ Description *

js.merge package is vulnerable to prototype pollution issue

💻 Technical Description *

Fixed by adding missing magical attributes, to filter.
- if (key === '__proto__'){
+ if (key === '__proto__' || key === 'constructor' || key === 'prototype'){

🐛 Proof of Concept (PoC) *

1. Install the package, run the below code:

var mergelib = require('merge');
var obj = mergelib({}, JSON.parse('{ "testProperty": "hi", "prototype" : { "status" : "pwned!" } }'));
console.log(obj.prototype.status);

Outputs: pwned.

🔥 Proof of Fix (PoF) *

After fix prototype.status is undefined

👍 User Acceptance Testing (UAT)

After fix functionality is unafected

[huntr-helper]

Congratulations alromh87 - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section, or hit us up on Discord. Your bounty is on its way - keep hunting!

Come join us on Discord