Skip to content

Commit

Permalink
ensure keys are valid when mixing in values
Browse files Browse the repository at this point in the history
  • Loading branch information
doowb committed Jun 24, 2019
1 parent a4bcf3e commit 90ee1fa
Showing 1 changed file with 12 additions and 1 deletion.
13 changes: 12 additions & 1 deletion index.js
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 23,7 @@ function mixinDeep(target, objects) {
*/

function copy(val, key) {
if (key === '__proto__') {
if (!isValidKey(key)) {
return;
}

Expand All @@ -46,6 46,17 @@ function isObject(val) {
return isExtendable(val) && !Array.isArray(val);
}

/**
* Returns true if `key` is a valid key to use when extending objects.
*
* @param {String} `key`
* @return {Boolean}
*/

function isValidKey(key) {
return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
};

/**
* Expose `mixinDeep`
*/
Expand Down

2 comments on commit 90ee1fa

@hellochrisyou
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does this do?

@doowb
Copy link
Collaborator Author

@doowb doowb commented on 90ee1fa Oct 30, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This ensures the keys being "mixed in" are valid... meaning that they won't be able to modify objects in the prototype chain in unexpected ways, which may lead to a vulnerability in an application.

Please sign in to comment.