back port patch for 4.0.1

doowb · doowb · commit 09c4b108fea3 · 2022-08-16T12:41:12.000-04:00
diff --git a/index.js b/index.js
@@ -99,6 +99,10 @@ function createKey(pattern, options) {
 }
 
 function isValidKey(key) {
+  if (typeof key !== 'string' && typeof key !== 'number') {
+    key = String(key);
+  }
+
   return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
 }
 
diff --git a/test.js b/test.js
@@ -210,3 +210,12 @@ describe('options', function() {
     assert.equal(o.a['{b.c.d}'].e, 'c');
   });
 });
+
+describe('patches', function() {
+  it('should not allow setting an unsafe key', function() {
+    const o = {};
+    assert.equal({}.foo, undefined);
+    set(o, [['__proto__'], 'foo'], 'bar');
+    assert.equal({}.foo, undefined);
+  });
+});

Original file line number	Diff line number	Diff line change
`@@ -99,6 +99,10 @@ function createKey(pattern, options) {`
`99`	`99`	`}`
`100`	`100`
`101`	`101`	`function isValidKey(key) {`
	`102`	`+ if (typeof key !== 'string' && typeof key !== 'number') {`
	`103`	`+ key = String(key);`
	`104`	`+ }`
	`105`	`+`
`102`	`106`	`return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';`
`103`	`107`	`}`
`104`	`108`