fix: 🐛 fix prototype pollution

filter prototype, __proto__ and constructor
manuelstofer · Aug 25, 2020 · ee4b8e7 · ee4b8e7
1 parent 018e488
commit ee4b8e7
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/index.js b/index.js
@@ -75,6 +75,9 @@ api.set = function set (obj, pointer, value) {
 
     for (var i = 0; i < refTokens.length - 1; ++i) {
         var tok = refTokens[i];
+        if (tok === "__proto__" || tok === "constructor" || tok === "prototype") {
+            continue
+        }
         if (tok === '-' && Array.isArray(obj)) {
           tok = obj.length;
         }