fix(prototype): prevent prototype pollution

APIDevTools · Mar 5, 2024 · 8cad7f7 · 8cad7f7
1 parent b93e3a2
commit 8cad7f7
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/lib/options.ts b/lib/options.ts
@@ -182,7 +182,8 @@ export type ParserOptions = DeepPartial<$RefParserOptions>;
  */
 function merge(target: any, source: any) {
   if (isMergeable(source)) {
-    const keys = Object.keys(source);
+    // prevent prototype pollution
+    const keys = Object.keys(source).filter((key) => !["__proto__", "constructor", "prototype"].includes(key));
     for (let i = 0; i < keys.length; i++) {
       const key = keys[i];
       const sourceSetting = source[key];