Merge pull request #1 from ready-research/ready-research-Prototype-Po…

…llution-fix Security Fix for Prototype Pollution
ready-research · Aug 31, 2021 · d497faa · d497faa
2 parents 03c4efe + 2ed8745
commit d497faa
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/lib/index.js b/lib/index.js
@@ -143,6 +143,9 @@ exports.unset = function(path, o) {
     if (cur == null || typeof cur !== 'object' || !(parts[i] in cur)) {
       return false;
     }
+    if (typeof parts[i] !== 'string' && typeof parts[i] !== 'number') {
+      parts[i] = String(parts[i]);
+    }
     // Disallow any updates to __proto__ or special properties.
     if (ignoreProperties.indexOf(parts[i]) !== -1) {
       return false;
@@ -193,6 +196,9 @@ exports.set = function(path, val, o, special, map, _copying) {
   if (null == o) return;
 
   for (var i = 0; i < parts.length; ++i) {
+    if (typeof parts[i] !== 'string' && typeof parts[i] !== 'number') {
+      parts[i] = String(parts[i]);
+    }
     // Silently ignore any updates to `__proto__`, these are potentially
     // dangerous if using mpath with unsanitized data.
     if (ignoreProperties.indexOf(parts[i]) !== -1) {
@@ -311,4 +317,4 @@ function _setArray(obj, val, part, lookup, special, map) {
 
 function K(v) {
   return v;
-}
+}