diff --git a/lib/processNested.js b/lib/processNested.js index f9ed79a..1661b0f 100644 --- a/lib/processNested.js +++ b/lib/processNested.js @@ -1,4 +1,4 @@ -const INVALID_KEYS = ['__proto__']; +const INVALID_KEYS = ['__proto__', 'constructor']; module.exports = function(data){ if (!data || data.length < 1) return {}; diff --git a/test/processNested.spec.js b/test/processNested.spec.js index 0c7ef8e..d9e18bd 100644 --- a/test/processNested.spec.js +++ b/test/processNested.spec.js @@ -47,11 +47,13 @@ describe('Test Convert Flatten object to Nested object', function() { }); it('Do not allow prototype pollution', () => { - const pollutionOb = JSON.parse(`{"__proto__.POLLUTED": "FOOBAR"}`); + const pollutionOb1 = JSON.parse(`{"__proto__.POLLUTED1": "FOOBAR"}`); + const pollutionOb2 = JSON.parse(`{"constructor.prototype.POLLUTED2": "FOOBAR"}`); - processNested(pollutionOb); + processNested(pollutionOb1); + processNested(pollutionOb2); - // eslint-disable-next-line no-undef - assert.equal(global.POLLUTED, undefined); + assert.equal(global.POLLUTED1, undefined); + assert.equal(global.POLLUTED2, undefined); }); });