Security fix for Prototype Pollution

Author: arjunshibu

src/nestedObjectAssign.js

@@ -9,7 +9,7 @@ export default function nestedObjectAssign(target, ...sources){
 
     if (isObject(target) && isObject(source)){
         for (const key in source){
-            if (isObject(source[key])){
+            if (isObject(source[key]) && !isPrototypePolluted(key)){
                 if (!target[key]) {
                     Object.assign(target, {[key]: {}});
                 }
@@ -28,4 +28,8 @@ export default function nestedObjectAssign(target, ...sources){
     }
 
     return nestedObjectAssign(target, ...sources);
+}
+
+function isPrototypePolluted(key){
+    return /__proto__|constructor|prototype/.test(key);
 }

test/nestedObjectAssign.spec.js

@@ -69,4 +69,10 @@ describe('Given an instance of nestedObjectAssign', function() {
             expect(JSON.stringify(nestedObjectAssign({}, mockData.default, mockData.first, mockData.second))).to.be.equal(JSON.stringify(expectedData));
         });
     });
+    describe('when I give malicious payload', function() {
+        it('it should not pollute object prototype', () => {
+            nestedObjectAssign({}, JSON.parse('{"__proto__": {"polluted": true}}'));
+            expect({}.polluted).to.be.equal(undefined);
+        });
+    });
 });