Skip to content

Commit

Permalink
Backport #352. Closes #353
Browse files Browse the repository at this point in the history
  • Loading branch information
hueniverse committed Feb 8, 2020
1 parent 4ae5f53 commit 4d0804b
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 0 deletions.
4 changes: 4 additions & 0 deletions lib/clone.js
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,10 @@ module.exports = internals.clone = function (obj, options = {}, _seen = null) {

const keys = Utils.keys(obj, options);
for (const key of keys) {
if (key === '__proto__') {
continue;
}

if (baseProto === Types.array &&
key === 'length') {

Expand Down
9 changes: 9 additions & 0 deletions test/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -762,6 +762,15 @@ describe('clone()', () => {
expect(copy.a).to.shallow.equal(obj.a);
expect(copy.x).to.shallow.equal(obj);
});

it('prevents prototype poisoning', () => {

const a = JSON.parse('{ "__proto__": { "x": 1 } }');
expect(a.x).to.not.exist();

const b = Hoek.clone(a);
expect(b.x).to.not.exist();
});
});

describe('merge()', () => {
Expand Down

0 comments on commit 4d0804b

Please sign in to comment.