From 94c9cf9c8b300d9d9b1e653c4a765fece9fca614 Mon Sep 17 00:00:00 2001
From: Richard Girges <richardgirges@gmail.com>
Date: Fri, 31 Jul 2020 05:59:45 -0700
Subject: [PATCH] prototype pollution fix #2

---
 lib/processNested.js       |  2 +-
 test/processNested.spec.js | 10 ++++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/lib/processNested.js b/lib/processNested.js
index f9ed79a..1661b0f 100644
--- a/lib/processNested.js
+++ b/lib/processNested.js
@@ -1,4 +1,4 @@
-const INVALID_KEYS = ['__proto__'];
+const INVALID_KEYS = ['__proto__', 'constructor'];
 
 module.exports = function(data){
   if (!data || data.length < 1) return {};
diff --git a/test/processNested.spec.js b/test/processNested.spec.js
index 0c7ef8e..d9e18bd 100644
--- a/test/processNested.spec.js
+++ b/test/processNested.spec.js
@@ -47,11 +47,13 @@ describe('Test Convert Flatten object to Nested object', function() {
   });
 
   it('Do not allow prototype pollution', () => {
-    const pollutionOb = JSON.parse(`{"__proto__.POLLUTED": "FOOBAR"}`);
+    const pollutionOb1 = JSON.parse(`{"__proto__.POLLUTED1": "FOOBAR"}`);
+    const pollutionOb2 = JSON.parse(`{"constructor.prototype.POLLUTED2": "FOOBAR"}`);
 
-    processNested(pollutionOb);
+    processNested(pollutionOb1);
+    processNested(pollutionOb2);
 
-    // eslint-disable-next-line no-undef
-    assert.equal(global.POLLUTED, undefined);
+    assert.equal(global.POLLUTED1, undefined);
+    assert.equal(global.POLLUTED2, undefined);
   });
 });