fix: do not let setProperty change the prototype (#1899)

alexander-fenster · web-flow · commit e66379f451b0 · 2023-06-23T15:46:03.000-07:00
* fix: do not let setProperty change the prototype

* test: add unit test
diff --git a/src/util.js b/src/util.js
@@ -176,7 +176,7 @@ util.decorateEnum = function decorateEnum(object) {
 util.setProperty = function setProperty(dst, path, value) {
     function setProp(dst, path, value) {
         var part = path.shift();
-        if (part === "__proto__") {
+        if (part === "__proto__" || part === "prototype") {
           return dst;
         }
         if (path.length > 0) {
diff --git a/tests/api_util.js b/tests/api_util.js
@@ -95,6 +95,15 @@ tape.test("util", function(test) {
 
         util.setProperty(o, 'prop.subprop', { subsub2: 7});
         test.same(o, {prop1: [5, 6], prop: {subprop: [{subsub: [5,6]}, {subsub2: 7}]}}, "should convert nested properties to array");
+        
+        util.setProperty({}, "__proto__.test", "value");
+        test.is({}.test, undefined);
+
+        util.setProperty({}, "prototype.test", "value");
+        test.is({}.test, undefined);
+
+        util.setProperty({}, "constructor.prototype.test", "value");
+        test.is({}.test, undefined);
 
         test.end();
     });

Original file line number	Diff line number	Diff line change
`@@ -176,7 +176,7 @@ util.decorateEnum = function decorateEnum(object) {`
`176`	`176`	`util.setProperty = function setProperty(dst, path, value) {`
`177`	`177`	`function setProp(dst, path, value) {`
`178`	`178`	`var part = path.shift();`
`179`		`- if (part === "__proto__") {`
	`179`	`+ if (part === "__proto__" \|\| part === "prototype") {`
`180`	`180`	`return dst;`
`181`	`181`	`}`
`182`	`182`	`if (path.length > 0) {`