Merge pull request #34 from AdamGold/master

fix: 🐛 fix prototype pollution

Author: manuelstofer

index.js

@@ -75,6 +75,9 @@ api.set = function set (obj, pointer, value) {
 
     for (var i = 0; i < refTokens.length - 1; ++i) {
         var tok = refTokens[i];
+        if (tok === "__proto__" || tok === "constructor" || tok === "prototype") {
+            continue
+        }
         if (tok === '-' && Array.isArray(obj)) {
           tok = obj.length;
         }

test/test.js

@@ -436,4 +436,31 @@ describe('convenience api wrapper', function() {
         objPointer.get(immutable(['oo-style'])).should.equal('bla');
         objPointer.get(immutable(['example', '0'])).should.equal('bla2');
     });
+
+    it('should not set __proto__', function () {
+        var obj = {}, objPointer = pointer(obj);
+        expect(obj.polluted).to.be.undefined();
+        objPointer.set('/__proto__/polluted', true);
+        expect(obj.polluted).to.be.undefined();
+        var obj2 = {};
+        expect(obj2.polluted).to.be.undefined();
+    });
+
+    it('should not set prototype', function () {
+        var obj = {}, objPointer = pointer(obj);
+        expect(obj.polluted).to.be.undefined();
+        objPointer.set('/prototype/polluted', true);
+        expect(obj.polluted).to.be.undefined();
+        var obj2 = {};
+        expect(obj2.polluted).to.be.undefined();
+    });
+
+    it('should not set constructor', function () {
+        var obj = {}, objPointer = pointer(obj);
+        expect(obj.polluted).to.be.undefined();
+        objPointer.set('/constructor/prototype/polluted', true);
+        expect(obj.polluted).to.be.undefined();
+        var obj2 = {};
+        expect(obj2.polluted).to.be.undefined();
+    });
 });