Merge branch 'pr-40' into dev

Author: unclechu

.travis.yml

@@ -13,3 +13,6 @@ node_js:
   - "iojs-3"
   - "iojs-2"
   - "iojs-1.0.0"
+before_install:
+  - npm config set strict-ssl false
+  - npm config set registry="http://registry.npmjs.org/"

lib/deep-extend.js

@@ -70,6 +70,10 @@ function deepCloneArray(arr) {
 	return clone;
 }
 
+function safeGetProperty(object, property) {
+	return property === '__proto__' ? undefined : object[property];
+}
+
 /**
  * Extening object that entered in first argument.
  *
@@ -102,8 +106,8 @@ var deepExtend = module.exports = function (/*obj_1, [obj_2], [obj_N]*/) {
 		}
 
 		Object.keys(obj).forEach(function (key) {
-			src = target[key]; // source value
-			val = obj[key]; // new value
+			src = safeGetProperty(target, key); // source value
+			val = safeGetProperty(obj, key); // new value
 
 			// recursion prevention
 			if (val === target) {
@@ -141,4 +145,4 @@ var deepExtend = module.exports = function (/*obj_1, [obj_2], [obj_N]*/) {
 	});
 
 	return target;
-}
+};

test/index.spec.js

@@ -254,4 +254,14 @@ describe('deep-extend', function () {
 		});
 	});
 
+	// Vulnerability reported via hacker1: https://hackerone.com/reports/311333
+	// See https://github.com/unclechu/node-deep-extend/issues/39
+	// See https://github.com/unclechu/node-deep-extend/pull/40
+	it('should not modify Object prototype (hacker1 #311333)', function () {
+		var a = {};
+		extend({}, JSON.parse('{"__proto__":{"oops":"It works!"}}'))
+		should.not.exist(a.oops);
+		should.not.exist(Object.prototype.oops);
+	});
+
 });