Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix for Prototype Pollution
  • Loading branch information
Viking04 committed Sep 8, 2021
1 parent 84dc099 commit baba403
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 1 deletion.
2 changes: 2 additions & 0 deletions index.js
@@ -1,6 +1,8 @@
function merge(dst, ...sources) {
for (src of sources) {
for (let key in src) {
//fix for prototype pollution
if (key === "__proto__" || key === "constructor") continue;
let s = src[key], d = dst[key]
if (Object(s) == s && Object(d) === d) {
dst[key] = merge(d, s)
Expand Down
13 changes: 13 additions & 0 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 6 additions & 1 deletion test/test.js
Expand Up @@ -3,4 +3,9 @@ var a = {"a":{"red":"apple"}}
var b = {"b":{"yellow":"mango"}}
var c = {"a":{"orange":"orange"}}
merge(a,b,c)
console.log(a)
console.log(a)

//Test case for prototype pollution fix
var prototype_pollution_test = JSON.parse('{"__proto__":{"polluted":true}}')
merge(a,prototype_pollution_test)
console.log({}.polluted)

0 comments on commit baba403

Please sign in to comment.