From 5aed1a8c4a3d55722d1c799f2368857bf418d6df Mon Sep 17 00:00:00 2001 From: Nathan LaFreniere Date: Tue, 6 Feb 2018 09:55:01 -0800 Subject: [PATCH 1/2] skip assignment to __proto__ --- lib/index.js | 4 ++++ test/index.js | 9 +++++++++ 2 files changed, 13 insertions(+) diff --git a/lib/index.js b/lib/index.js index 8c3273eb..75bbeb7c 100755 --- a/lib/index.js +++ b/lib/index.js @@ -113,6 +113,10 @@ exports.merge = function (target, source, isNullOverride /* = true */, isMergeAr const keys = Object.keys(source); for (let i = 0; i < keys.length; ++i) { const key = keys[i]; + if (key === '__proto__') { + continue; + } + const value = source[key]; if (value && typeof value === 'object') { diff --git a/test/index.js b/test/index.js index d4c188e5..747b6a5e 100755 --- a/test/index.js +++ b/test/index.js @@ -614,6 +614,15 @@ describe('merge()', () => { expect(a.x.toString()).to.equal('abc'); done(); }); + + it('skips __proto__', () => { + + const a = '{ "ok": "value", "__proto__": { "test": "value" } }'; + + const b = Hoek.merge({}, JSON.parse(a)); + expect(b).to.equal({ ok: 'value' }); + expect(b.test).to.equal(undefined); + }); }); describe('applyToDefaults()', () => { From 0cd2a1272ebecd9e32b2f32c7fcd106fcd10ce81 Mon Sep 17 00:00:00 2001 From: Nicolas Morel Date: Thu, 15 Feb 2018 10:33:44 +0100 Subject: [PATCH 2/2] Revert to lab 13 style --- test/index.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/index.js b/test/index.js index 747b6a5e..82f6c0bd 100755 --- a/test/index.js +++ b/test/index.js @@ -615,13 +615,14 @@ describe('merge()', () => { done(); }); - it('skips __proto__', () => { + it('skips __proto__', (done) => { const a = '{ "ok": "value", "__proto__": { "test": "value" } }'; const b = Hoek.merge({}, JSON.parse(a)); expect(b).to.equal({ ok: 'value' }); expect(b.test).to.equal(undefined); + done(); }); });