Skip to content

Commit

Permalink
fix: prevent changes in prototype chain
Browse files Browse the repository at this point in the history
  • Loading branch information
remy committed Feb 17, 2020
1 parent f495954 commit f272681
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 0 deletions.
4 changes: 4 additions & 0 deletions lib/undefsafe.js
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,10 @@ function undefsafe(obj, path, value, __res) {
return res;
}

if (Object.getOwnPropertyNames(obj).indexOf(key) == -1) {
return undefined;
}

obj = obj[key];
if (obj === undefined || obj === null) {
break;
Expand Down
11 changes: 11 additions & 0 deletions test/misc.test.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
var test = require('tap').test;
var undefsafe = require('../lib/undefsafe');

test('cannot modify prototype chain', function(t) {
const pre = {}.__proto__.toString;
var payload = '__proto__.toString';
undefsafe({ a: 'b' }, payload, 'JHU');
t.notEqual({}.toString, 'JHU');
({}.__proto__.toString = pre); // restore
t.end();
});

0 comments on commit f272681

Please sign in to comment.