Copy own __proto__ safely (#164)

Copy own __proto__ safely

index.js

@@ -36,6 +36,19 @@ function getKeys(target) {
 	return Object.keys(target).concat(getEnumerableOwnPropertySymbols(target))
 }
 
+// Protects from prototype poisoning and unexpected merging up the prototype chain.
+function propertyIsUnsafe(target, key) {
+	try {
+		return (key in target) // Properties are safe to merge if they don't exist in the target yet,
+			&& !(Object.hasOwnProperty.call(target, key) // unsafe if they exist up the prototype chain,
+				&& Object.propertyIsEnumerable.call(target, key)) // and also unsafe if they're nonenumerable.
+	} catch (unused) {
+		// Counterintuitively, it's safe to merge any property on a target that causes the `in` operator to throw.
+		// This happens when trying to copy an object in the source over a plain string in the target.
+		return false
+	}
+}
+
 function mergeObject(target, source, options) {
 	var destination = {}
 	if (options.isMergeableObject(target)) {
@@ -44,6 +57,10 @@ function mergeObject(target, source, options) {
 		})
 	}
 	getKeys(source).forEach(function(key) {
+		if (propertyIsUnsafe(target, key)) {
+			return
+		}
+
 		if (!options.isMergeableObject(source[key]) || !target[key]) {
 			destination[key] = cloneUnlessOtherwiseSpecified(source[key], options)
 		} else {

test/prototype-poisoning.js

@@ -0,0 +1,78 @@
+var merge = require('../')
+var test = require('tape')
+var isMergeableObject = require('is-mergeable-object')
+
+test('merging objects with own __proto__', function(t) {
+	var user = {}
+	var malicious = JSON.parse('{ "__proto__": { "admin": true } }')
+	var mergedObject = merge(user, malicious)
+	t.notOk(mergedObject.__proto__.admin, 'non-plain properties should not be merged')
+	t.notOk(mergedObject.admin, 'the destination should have an unmodified prototype')
+	t.end()
+})
+
+test('merging objects with plain and non-plain properties', function(t) {
+	var plainSymbolKey = Symbol('plainSymbolKey')
+	var parent = {
+		parentKey: 'should be undefined'
+	}
+
+	var target = Object.create(parent)	
+	target.plainKey = 'should be replaced'
+	target[plainSymbolKey] = 'should also be replaced'
+
+	var source = {
+		parentKey: 'foo',
+		plainKey: 'bar',
+		newKey: 'baz',
+		[plainSymbolKey]: 'qux'
+	}
+
+	var mergedObject = merge(target, source)
+	t.equal(undefined, mergedObject.parentKey, 'inherited properties of target should be removed, not merged or ignored')
+	t.equal('bar', mergedObject.plainKey, 'enumerable own properties of target should be merged')
+	t.equal('baz', mergedObject.newKey, 'properties not yet on target should be merged')
+	t.equal('qux', mergedObject[plainSymbolKey], 'enumerable own symbol properties of target should be merged')
+	t.end()
+})
+
+// the following cases come from the thread here: https://github.com/TehShrike/deepmerge/pull/164
+test('merging strings works with a custom string merge', function(t) {
+	var target = { name: "Alexander" }
+	var source = { name: "Hamilton" }
+	function customMerge(key, options) {
+		if (key === 'name') {
+			return function(target, source, options) {
+				return target[0] + '. ' + source.substring(0, 3)
+			}
+		} else {
+			return merge
+		}
+	}
+
+	function mergeable(target) {
+		return isMergeableObject(target) || (typeof target === 'string' && target.length > 1)
+	}
+
+	t.equal('A. Ham', merge(target, source, { customMerge: customMerge, isMergeableObject: mergeable }).name)
+	t.end()
+})
+
+test('merging objects with null prototype', function(t) {
+	var target = Object.create(null)
+	var source = Object.create(null)
+	target.wheels = 4
+	target.trunk = { toolbox: ['hammer'] }
+	source.trunk = { toolbox: ['wrench'] }
+	source.engine = 'v8'
+	var expected = {
+		wheels: 4,
+		engine: 'v8',
+		trunk: {
+			toolbox: ['hammer', 'wrench' ]
+		}
+	}
+
+	t.deepEqual(expected, merge(target, source))
+	t.end()
+})