Fix prototype pollution

yeikos · yeikos · commit 6ad6035b901b · 2018-10-27T19:25:39.000+02:00
diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2014 yeikos - http://www.yeikos.com
+Copyright (c) 2014 yeikos
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
diff --git a/bower.json b/bower.json
@@ -1,6 +1,6 @@
 {
   "name": "merge",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "homepage": "https://github.com/yeikos/js.merge",
   "authors": [
     "yeikos <yeikos@gmail.com>"
diff --git a/merge.js b/merge.js
@@ -1,5 +1,5 @@
 /*!
- * @name JavaScript/NodeJS Merge v1.2.0
+ * @name JavaScript/NodeJS Merge v1.2.1
  * @author yeikos
  * @repository https://github.com/yeikos/js.merge
 
@@ -128,6 +128,8 @@
 
 			for (var key in item) {
 
+				if (key === '__proto__') continue;
+
 				var sitem = clone ? Public.clone(item[key]) : item[key];
 
 				if (recursive) {
diff --git a/merge.min.js b/merge.min.js
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "merge",
-  "version": "1.2.0",
-  "author": "yeikos (http://www.yeikos.com)",
+  "version": "1.2.1",
+  "author": "yeikos",
   "description": "Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.",
   "main": "merge.js",
   "license": "MIT",
diff --git a/tests/tests.js b/tests/tests.js
@@ -50,6 +50,25 @@ test('merge', function() {
 
 });
 
+test('merge (prototype pollution attack)', function() {
+
+	deepEqual(
+
+		merge({}, JSON.parse('{"__proto__": {"a": true}}')),
+		{}
+
+	);
+
+	deepEqual(
+
+		{}.a,
+
+		undefined
+
+	);
+
+});
+
 test('merge (clone)', function() {
 
 	var input = {
@@ -143,6 +162,25 @@ test('merge.recursive', function() {
 
 });
 
+test('merge.recursive (prototype pollution attack)', function() {
+
+	deepEqual(
+
+		merge.recursive({}, JSON.parse('{"__proto__": {"a": true}}')),
+		{}
+
+	);
+
+	deepEqual(
+
+		{}.a,
+
+		undefined
+
+	);
+
+});
+
 test('merge.recursive (clone)', function() {
 
 	var input = { a: { b: 1 } };

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "merge",`
`3`		`- "version": "1.2.0",`
	`3`	`+ "version": "1.2.1",`
`4`	`4`	`"homepage": "https://github.com/yeikos/js.merge",`
`5`	`5`	`"authors": [`
`6`	`6`	`"yeikos <[email protected]>"`