From 46b842a6bc897198b83f41ac85c92864b991d7e9 Mon Sep 17 00:00:00 2001
From: ready-research <72916209+ready-research@users.noreply.github.com>
Date: Fri, 3 Sep 2021 14:54:20 +0530
Subject: [PATCH] Security Fix for Prototype Pollution

Fix prototype pollution when path components are not strings
---
 lib/utils/objectUtils.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/utils/objectUtils.js b/lib/utils/objectUtils.js
index d7e908533..9930eaf40 100644
--- a/lib/utils/objectUtils.js
+++ b/lib/utils/objectUtils.js
@@ -225,6 +225,9 @@ function set(obj, path, value) {
 
   for (let i = 0, l = path.length - 1; i < l; ++i) {
     const key = path[i];
+    if (key === '__proto__') {
+      return false;
+    }
     let child = obj[key];
 
     if (!isObject(child)) {
@@ -252,7 +255,10 @@ function set(obj, path, value) {
 function zipObject(keys, values) {
   const out = {};
 
-  for (let i = 0, l = keys.length; i < l; ++i) {
+  for (let i = 0, l = keys.length; i < l; ++i) {    
+    if (keys[i] === '__proto__') {
+      return false;
+    }
     out[keys[i]] = values[i];
   }