skip all __ keys instead of only __proto__

archmoj · archmoj · commit cf5c6231043a · 2023-08-11T09:00:07.000-04:00
diff --git a/src/lib/index.js b/src/lib/index.js
@@ -925,6 +925,11 @@ lib.objectFromPath = function(path, value) {
 var dottedPropertyRegex = /^([^\[\.]+)\.(.+)?/;
 var indexedPropertyRegex = /^([^\.]+)\[([0-9]+)\](\.)?(.+)?/;
 
+function notValid(prop) {
+    // guard against polluting __proto__ and other internals getters and setters
+    return prop.slice(0, 2) === '__';
+}
+
 lib.expandObjectPaths = function(data) {
     var match, key, prop, datum, idx, dest, trailingPath;
     if(typeof data === 'object' && !Array.isArray(data)) {
@@ -933,7 +938,7 @@ lib.expandObjectPaths = function(data) {
                 if((match = key.match(dottedPropertyRegex))) {
                     datum = data[key];
                     prop = match[1];
-                    if(prop === '__proto__') continue;
+                    if(notValid(prop)) continue;
 
                     delete data[key];
 
@@ -942,7 +947,7 @@ lib.expandObjectPaths = function(data) {
                     datum = data[key];
 
                     prop = match[1];
-                    if(prop === '__proto__') continue;
+                    if(notValid(prop)) continue;
 
                     idx = parseInt(match[2]);
 
@@ -973,11 +978,11 @@ lib.expandObjectPaths = function(data) {
                         // This is the case where this property is the end of the line,
                         // e.g. xaxis.range[0]
 
-                        if(prop === '__proto__') continue;
+                        if(notValid(prop)) continue;
                         data[prop][idx] = lib.expandObjectPaths(datum);
                     }
                 } else {
-                    if(key === '__proto__') continue;
+                    if(notValid(key)) continue;
                     data[key] = lib.expandObjectPaths(data[key]);
                 }
             }
