avoid prototype pollution (graphhopper#2370)

* avoid prototype pollution

* Update web-bundle/src/main/resources/com/graphhopper/maps/js/tools/url.js

Co-authored-by: Kirill <[email protected]>

* Update web-bundle/src/test/resources/com/graphhopper/maps/spec/tools/urlSpec.js

Co-authored-by: Kirill <[email protected]>

* add expected in test

Co-authored-by: Kirill <[email protected]>

Author: karussell

web-bundle/src/main/resources/com/graphhopper/maps/js/tools/url.js

@@ -62,6 +62,8 @@ function mergeParamIntoObject(res, key, value) {
     var newKey = key.substring(0, objectIndex);
     var subKey = key.substring(objectIndex + 1);
 
+    if(newKey == "__proto__" || newKey == "constructor" || newKey == "prototype") return res;
+
     tmpVal = res[newKey];
     if(!tmpVal)
         tmpVal = {};

web-bundle/src/test/resources/com/graphhopper/maps/spec/tools/urlSpec.js

@@ -45,6 +45,11 @@ describe('urlTools', function () {
         someObject = urlTools.mergeParamIntoObject({}, "one.two.three", "123");
         expect("123").toEqual(someObject.one.two.three);
 
+        someObject = urlTools.mergeParamIntoObject({}, "__proto__.polluted", "true");
+        expect(undefined).toEqual({}.polluted);
+        someObject = urlTools.mergeParamIntoObject({}, "constructor.prototype.polluted", "true");
+        expect(undefined).toEqual({}.polluted);
+
         var params = urlTools.parseUrl("localhost:8989?pt.test=now&pt.go.test=single&pt.go.further=far&pt.go.further=now");
         expect("now").toEqual(params.pt.test);
         expect("single").toEqual(params.pt.go.test);