Merge pull request #1 from d3m0n-r00t/master

Fixed Prototype pollution in simple-deep-assign
418sec · Jan 22, 2021 · 76c47c5 · 76c47c5
2 parents fb360e6 + fd3d818
commit 76c47c5
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/simpleDeepAssign.js b/simpleDeepAssign.js
@@ -35,6 +35,9 @@ function isObject(item/*: any*/)/*: boolean*/ {
  */
 function deepAssignObject(target/*: Object*/, source/*: Object*/)/*: void*/ {
   Object.keys(source).forEach(key => {
+    if (key === '__proto__' || key === 'prototype' || key === 'constructor'){
+      return;
+    }
     if (isObject(target[key]) && isObject(source[key])) {
       deepAssignObject(target[key], source[key]);
       return;