Skip to content

Commit

Permalink
skip assignment to __proto__
Browse files Browse the repository at this point in the history
  • Loading branch information
nlf committed Feb 6, 2018
1 parent dfadda7 commit 32ed5c9
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 0 deletions.
4 changes: 4 additions & 0 deletions lib/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,10 @@ exports.merge = function (target, source, isNullOverride /* = true */, isMergeAr
const keys = Object.keys(source);
for (let i = 0; i < keys.length; ++i) {
const key = keys[i];
if (key === '__proto__') {
continue;
}

const value = source[key];
if (value &&
typeof value === 'object') {
Expand Down
9 changes: 9 additions & 0 deletions test/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -585,6 +585,15 @@ describe('merge()', () => {
Hoek.merge({ x: {} }, a);
expect(a.x.toString()).to.equal('abc');
});

it('skips __proto__', () => {

const a = '{ "ok": "value", "__proto__": { "test": "value" } }';

const b = Hoek.merge({}, JSON.parse(a));
expect(b).to.equal({ ok: 'value' });
expect(b.test).to.equal(undefined);
});
});

describe('applyToDefaults()', () => {
Expand Down

0 comments on commit 32ed5c9

Please sign in to comment.