fix: prevent changes in prototype chain

Author: remy

lib/undefsafe.js

@@ -99,6 +99,10 @@ function undefsafe(obj, path, value, __res) {
       return res;
     }
 
+    if (Object.getOwnPropertyNames(obj).indexOf(key) == -1) {
+      return undefined;
+    }
+
     obj = obj[key];
     if (obj === undefined || obj === null) {
       break;

test/misc.test.js

@@ -0,0 +1,11 @@
+var test = require('tap').test;
+var undefsafe = require('../lib/undefsafe');
+
+test('cannot modify prototype chain', function(t) {
+  const pre = {}.__proto__.toString;
+  var payload = '__proto__.toString';
+  undefsafe({ a: 'b' }, payload, 'JHU');
+  t.notEqual({}.toString, 'JHU');
+  ({}.__proto__.toString = pre); // restore
+  t.end();
+});