Security fix for prototype pollution

mozilla · Nov 23, 2020 · 688c46a · 688c46a
1 parent 95f4ab3
commit 688c46a
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/packages/convict/src/main.js b/packages/convict/src/main.js
@@ -561,8 +561,10 @@ const convict = function convict(def, opts) {
       const path = k.split('.')
       const childKey = path.pop()
       const parentKey = path.join('.')
-      const parent = walk(this._instance, parentKey, true)
-      parent[childKey] = v
+      if (!(parentKey == '__proto__' || parentKey == 'constructor' || parentKey == 'prototype')) {
+        const parent = walk(this._instance, parentKey, true)
+        parent[childKey] = v 
+      }
       return this
     },