From 7f8b16c6181c988bdb96613fbb2533b345f68682 Mon Sep 17 00:00:00 2001
From: Anthony Fu <anthonyfu117@hotmail.com>
Date: Tue, 30 May 2023 11:15:35 +0200
Subject: [PATCH] fix(deepMerge): prototype pollution

---
 src/object.test.ts | 12 ++++++++++++
 src/object.ts      |  3 +++
 2 files changed, 15 insertions(+)

diff --git a/src/object.test.ts b/src/object.test.ts
index 7cc6968..de532fe 100644
--- a/src/object.test.ts
+++ b/src/object.test.ts
@@ -51,4 +51,16 @@ describe('deepMerge', () => {
     const obj2 = { a: ['C'], b: ['D'] }
     expect(deepMerge({}, obj1, obj2)).toEqual({ a: ['C'], b: ['D'] })
   })
+
+  it('prototype pollution 1', () => {
+    const obj = {} as any
+    const obj2 = {} as any
+    const payload = JSON.parse('{"__proto__":{"polluted":"Polluted!"}}')
+
+    expect(obj.polluted).toBeUndefined()
+    expect(obj2.polluted).toBeUndefined()
+    deepMerge(obj, payload)
+    expect(obj.polluted).toBeUndefined()
+    expect(obj2.polluted).toBeUndefined()
+  })
 })
diff --git a/src/object.ts b/src/object.ts
index 71c4313..089e0e1 100644
--- a/src/object.ts
+++ b/src/object.ts
@@ -82,6 +82,9 @@ export function deepMerge<T extends object = object, S extends object = T>(targe
 
   if (isMergableObject(target) && isMergableObject(source)) {
     objectKeys(source).forEach((key) => {
+      if (key === '__proto__' || key === 'constructor' || key === 'prototype')
+        return
+
       // @ts-expect-error
       if (isMergableObject(source[key])) {
         // @ts-expect-error