From ca3066c9cecd0e7a5c612e6421e13a955deef7a2 Mon Sep 17 00:00:00 2001
From: Arjun Shibu <arjunshibu1999@gmail.com>
Date: Wed, 6 Jan 2021 21:50:31 +0530
Subject: [PATCH] Security fix for Prototype Pollution

---
 lib/object-dot.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/object-dot.js b/lib/object-dot.js
index 2b70174..15b972c 100644
--- a/lib/object-dot.js
+++ b/lib/object-dot.js
@@ -10,6 +10,7 @@ function set ({ object, path, value, overwrite = true, separator = '.' }) {
     let [currentProperty, ...remainingProperties] = properties
     if (object[currentProperty] === undefined) object[currentProperty] = {}
     else if (overwrite && typeof object[currentProperty] !== 'object') object[currentProperty] = {}
+    else if (isPrototypePolluted(currentProperty)) return
     set({ object: object[currentProperty], path: remainingProperties, value, overwrite, separator })
   }
   return object
@@ -47,4 +48,8 @@ function extend () {
   /* eslint-enable */
 }
 
+function isPrototypePolluted (key) {
+  return ['__proto__', 'constructor', 'prototype'].includes(key)
+}
+
 module.exports = { set, get, exists, extend }