fix(merge): prevent possible prototype pollution (#34)

n1ru4l · web-flow · commit 2d156c7f6158 · 2022-05-03T08:27:55.000-07:00
diff --git a/src/merge.js b/src/merge.js
@@ -6,6 +6,7 @@ export function merge(a, b, k) {
 			}
 		} else {
 			for (k in b) {
+				if (k === '__proto__' || k === 'constructor' || k === 'prototype') break;
 				a[k] = merge(a[k], b[k]);
 			}
 		}

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ export function merge(a, b, k) {`
`6`	`6`	`}`
`7`	`7`	`} else {`
`8`	`8`	`for (k in b) {`
	`9`	`+ if (k === '__proto__' \|\| k === 'constructor' \|\| k === 'prototype') break;`
`9`	`10`	`a[k] = merge(a[k], b[k]);`
`10`	`11`	`}`
`11`	`12`	`}`