Minor mitigation

Author: mde

lib/utils.js

@@ -25,6 +25,8 @@
 'use strict';
 
 var regExpChars = /[|\\{}()[\]^$+*?.]/g;
+var hasOwnProperty = Object.prototype.hasOwnProperty;
+var hasOwn = function (obj, key) { return hasOwnProperty.apply(obj, [key]); };
 
 /**
  * Escape characters reserved in regular expressions.
@@ -116,6 +118,12 @@ exports.shallowCopy = function (to, from) {
   from = from || {};
   if ((to !== null) && (to !== undefined)) {
     for (var p in from) {
+      if (!hasOwn(from, p)) {
+        continue;
+      }
+      if (p === '__proto__' || p === 'constructor') {
+        continue;
+      }
       to[p] = from[p];
     }
   }
@@ -141,6 +149,12 @@ exports.shallowCopyFromList = function (to, from, list) {
     for (var i = 0; i < list.length; i++) {
       var p = list[i];
       if (typeof from[p] != 'undefined') {
+        if (!hasOwn(from, p)) {
+          continue;
+        }
+        if (p === '__proto__' || p === 'constructor') {
+          continue;
+        }
         to[p] = from[p];
       }
     }