Backport #352. Closes #353

Author: hueniverse

lib/clone.js

@@ -75,6 +75,10 @@ module.exports = internals.clone = function (obj, options = {}, _seen = null) {
 
     const keys = Utils.keys(obj, options);
     for (const key of keys) {
+        if (key === '__proto__') {
+            continue;
+        }
+
         if (baseProto === Types.array &&
             key === 'length') {
 

test/index.js

@@ -762,6 +762,15 @@ describe('clone()', () => {
         expect(copy.a).to.shallow.equal(obj.a);
         expect(copy.x).to.shallow.equal(obj);
     });
+
+    it('prevents prototype poisoning', () => {
+
+        const a = JSON.parse('{ "__proto__": { "x": 1 } }');
+        expect(a.x).to.not.exist();
+
+        const b = Hoek.clone(a);
+        expect(b.x).to.not.exist();
+    });
 });
 
 describe('merge()', () => {