From 2cf222683a151027c030b07cb7a57bc1dbcd7482 Mon Sep 17 00:00:00 2001
From: Evgeny Poberezkin <e.poberezkin@me.com>
Date: Sat, 7 Dec 2019 11:32:45 +0000
Subject: [PATCH] fix: prevent possibility of execution of the code injected
 via prototype pollution when undefined is passed to compiled template
 function, closes #291

---
 index.js             |  2 +-
 test/process.test.js | 31 +++++++++++++++++++++++++++++++
 test/test.dot        |  1 +
 3 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 test/process.test.js
 create mode 100644 test/test.dot

diff --git a/index.js b/index.js
index 9686aad..5ec0097 100644
--- a/index.js
+++ b/index.js
@@ -42,7 +42,7 @@ function InstallDots(o) {
 	if (this.__destination[this.__destination.length-1] !== '/') this.__destination += '/';
 	this.__global		= o.global || "window.render";
 	this.__rendermodule	= o.rendermodule || {};
-	this.__settings 	= o.templateSettings ? copy(o.templateSettings, copy(doT.templateSettings)) : undefined;
+	this.__settings 	= Object.prototype.hasOwnProperty.call(o,"templateSettings") ? copy(o.templateSettings, copy(doT.templateSettings)) : undefined;
 	this.__includes		= {};
 }
 
diff --git a/test/process.test.js b/test/process.test.js
new file mode 100644
index 0000000..c2ace5c
--- /dev/null
+++ b/test/process.test.js
@@ -0,0 +1,31 @@
+'use strict';
+
+var assert = require('assert');
+var doT = require('..');
+
+
+describe('doT.process', function() {
+	describe('polluting object prototype should not affect template compilation', function() {
+		it('should ignore varname on object prototype', function() {
+      var currentLog = console.log;
+      console.log = log;
+      var logged;
+      
+			Object.prototype.templateSettings = {varname: 'it=(console.log("executed"),{})'};
+
+      try {
+        const templates = doT.process({path: './test'});
+        assert.notEqual(logged, 'executed');
+        // injected code can only be executed if undefined is passed to template function
+        templates.test();
+        assert.notEqual(logged, 'executed');
+      } finally {
+        console.log = currentLog;
+      }
+      
+      function log(str) {
+        logged = str;
+      }
+		})
+	});
+});
diff --git a/test/test.dot b/test/test.dot
new file mode 100644
index 0000000..6fbf476
--- /dev/null
+++ b/test/test.dot
@@ -0,0 +1 @@
+{{=it && it.test}}
\ No newline at end of file