From 8971ebb4163d7ce6c68f827b9bed5b395c60792a Mon Sep 17 00:00:00 2001 From: Mark Cabanero Date: Mon, 27 Jun 2022 17:45:09 -0700 Subject: [PATCH 1/3] test(deepFromFlat): Test if deepFromFlat merges new properties onto Object This is not the ideal state. We're explicitly looking for this to fail. --- test/deepFromFlat.coffee | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/test/deepFromFlat.coffee b/test/deepFromFlat.coffee index 2579672..a2cf37f 100644 --- a/test/deepFromFlat.coffee +++ b/test/deepFromFlat.coffee @@ -20,3 +20,13 @@ describe '_.deepFromFlat', -> _(tests).each (test) -> it "deepens #{JSON.stringify test.input}", -> assert.deepEqual _.deepFromFlat(test.input), test.output + + it "does not merge special `Object` properties", -> + _.deepFromFlat({ "__proto__.polluted1": true }) + _.deepFromFlat({ "constructor.prototype.polluted2": true }) + p1 = {}.polluted1 + p2 = {}.polluted2 + assert.strictEqual(p1, undefined) + assert.strictEqual(p2, undefined) + delete Object.prototype.polluted1 + delete Object.prototype.polluted2 From 1089454643597345af654e489abc16828ea42b16 Mon Sep 17 00:00:00 2001 From: Mark Cabanero Date: Mon, 27 Jun 2022 17:45:34 -0700 Subject: [PATCH 2/3] feat(deepFromFlat): Filter out choice key words Due to the way how things merge, these key words need to be filtered out. --- underscore.deep.coffee | 1 + 1 file changed, 1 insertion(+) diff --git a/underscore.deep.coffee b/underscore.deep.coffee index cae9019..7114ea4 100644 --- a/underscore.deep.coffee +++ b/underscore.deep.coffee @@ -136,6 +136,7 @@ module.exports = key = parts.pop() while parts.length part = parts.shift() + continue if part in ["__proto__", "constructor", "prototype"] t = t[part] = t[part] or {} t[key] = o[k] oo From 9944584b86679aa28eed44c7358c52a37a8ce753 Mon Sep 17 00:00:00 2001 From: Mark Cabanero Date: Mon, 27 Jun 2022 17:45:58 -0700 Subject: [PATCH 3/3] chore: Bump from version 0.5.2 to 0.5.3 --- package-lock.json | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package-lock.json b/package-lock.json index 2f81c08..6888279 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "underscore.deep", - "version": "0.5.1", + "version": "0.5.3", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/package.json b/package.json index 99de47c..13009d4 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "underscore.deep", - "version": "0.5.2", + "version": "0.5.3", "description": "Underscore mixins for deeply nested objects", "main": "underscore.deep.js", "engines": {