Merge pull request #240 from AmazingMech2418/patch-1

Fix #239
richardgirges · Aug 6, 2020 · 9fca550 · 9fca550
2 parents fd40389 + 1530cf5
commit 9fca550
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/lib/processNested.js b/lib/processNested.js
@@ -1,4 +1,6 @@
-const INVALID_KEYS = ['__proto__', 'constructor'];
+const OBJECT_PROTOTYPE_KEYS = Object.getOwnPropertyNames(Object.prototype);
+const ARRAY_PROTOTYPE_KEYS = Object.getOwnPropertyNames(Array.prototype);
+
 
 module.exports = function(data){
   if (!data || data.length < 1) return {};
@@ -19,7 +21,8 @@ module.exports = function(data){
       let k = keyParts[index];
 
       // Ensure we don't allow prototype pollution
-      if (INVALID_KEYS.includes(k)) {
+      const IN_ARRAY_PROTOTYPE = ARRAY_PROTOTYPE_KEYS.includes(k) && Array.isArray(current);
+      if (OBJECT_PROTOTYPE_KEYS.includes(k) || IN_ARRAY_PROTOTYPE) {
         continue;
       }
 
@@ -32,5 +35,7 @@ module.exports = function(data){
     }
   }
 
+
+
   return d;
-};
+};