skip assignment to __proto__

hapijs · Feb 15, 2018 · 5aed1a8 · 5aed1a8
1 parent 1db691b
commit 5aed1a8
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/lib/index.js b/lib/index.js
@@ -113,6 +113,10 @@ exports.merge = function (target, source, isNullOverride /* = true */, isMergeAr
     const keys = Object.keys(source);
     for (let i = 0; i < keys.length; ++i) {
         const key = keys[i];
+        if (key === '__proto__') {
+            continue;
+        }
+
         const value = source[key];
         if (value &&
             typeof value === 'object') {

diff --git a/test/index.js b/test/index.js
@@ -614,6 +614,15 @@ describe('merge()', () => {
         expect(a.x.toString()).to.equal('abc');
         done();
     });
+
+    it('skips __proto__', () => {
+
+        const a = '{ "ok": "value", "__proto__": { "test": "value" } }';
+
+        const b = Hoek.merge({}, JSON.parse(a));
+        expect(b).to.equal({ ok: 'value' });
+        expect(b.test).to.equal(undefined);
+    });
 });
 
 describe('applyToDefaults()', () => {