guard against polluting __proto__ in nestedProperty

Author: archmoj

Diff for: src/lib/nested_property.js

@@ -24,13 +24,20 @@ module.exports = function nestedProperty(container, propStr) {
         throw 'bad property string';
     }
 
-    var j = 0;
     var propParts = propStr.split('.');
     var indexed;
     var indices;
-    var i;
+    var i, j;
+
+    for(j = 0; j < propParts.length; j++) {
+        // guard against polluting __proto__ and other internals
+        if(String(propParts[j]).slice(0, 2) === '__') {
+            throw 'bad property string';
+        }
+    }
 
     // check for parts of the nesting hierarchy that are numbers (ie array elements)
+    j = 0;
     while(j < propParts.length) {
         // look for non-bracket chars, then any number of [##] blocks
         indexed = String(propParts[j]).match(/^([^\[\]]*)((\[\-?[0-9]*\])+)$/);