From 2ed8745f931b0a9d523beb61d5bb20cfd88a3b2b Mon Sep 17 00:00:00 2001
From: ready-research <72916209+ready-research@users.noreply.github.com>
Date: Wed, 1 Sep 2021 01:12:30 +0530
Subject: [PATCH] Security Fix for Prototype Pollution

Fix prototype pollution when path components are not strings
---
 lib/index.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/index.js b/lib/index.js
index 338bf9b..5f7749f 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -143,6 +143,9 @@ exports.unset = function(path, o) {
     if (cur == null || typeof cur !== 'object' || !(parts[i] in cur)) {
       return false;
     }
+    if (typeof parts[i] !== 'string' && typeof parts[i] !== 'number') {
+      parts[i] = String(parts[i]);
+    }
     // Disallow any updates to __proto__ or special properties.
     if (ignoreProperties.indexOf(parts[i]) !== -1) {
       return false;
@@ -193,6 +196,9 @@ exports.set = function(path, val, o, special, map, _copying) {
   if (null == o) return;
 
   for (var i = 0; i < parts.length; ++i) {
+    if (typeof parts[i] !== 'string' && typeof parts[i] !== 'number') {
+      parts[i] = String(parts[i]);
+    }
     // Silently ignore any updates to `__proto__`, these are potentially
     // dangerous if using mpath with unsanitized data.
     if (ignoreProperties.indexOf(parts[i]) !== -1) {
@@ -311,4 +317,4 @@ function _setArray(obj, val, part, lookup, special, map) {
 
 function K(v) {
   return v;
-}
\ No newline at end of file
+}