fix: __proto__ copy (#2)

popomore · web-flow · commit aa332a59116c · 2021-12-31T21:19:26.000+08:00
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
@@ -0,0 +1,46 @@
+# This workflow will do a clean install of node dependencies, build the source code and run tests across different versions of node
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
+
+name: Node.js CI
+
+on:
+  push:
+    branches:
+      - main
+      - master
+  pull_request:
+    branches:
+      - main
+      - master
+  schedule:
+    - cron: '0 2 * * *'
+
+jobs:
+  build:
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        node-version: [6, 8, 10, 12, 14, 16]
+        os: [ubuntu-latest, windows-latest, macos-latest]
+
+    steps:
+    - name: Checkout Git Source
+      uses: actions/checkout@v2
+
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v1
+      with:
+        node-version: ${{ matrix.node-version }}
+
+    - name: Install Dependencies
+      run: npm i -g npminstall@latest-3 && npminstall
+
+    - name: Continuous Integration
+      run: npm run ci
+
+    - name: Code Coverage
+      uses: codecov/codecov-action@v1
+      with:
+        token: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.travis.yml b/.travis.yml
diff --git a/appveyor.yml b/appveyor.yml
diff --git a/index.js b/index.js
@@ -47,6 +47,8 @@ module.exports = function extend() {
 
     // Extend the base object
     for (name in options) {
+      if (name === '__proto__') continue;
+
       src = target[name];
       copy = options[name];
 
diff --git a/package.json b/package.json
@@ -25,7 +25,6 @@
   "dependencies": {},
   "devDependencies": {
     "covert": "^1.1.0",
-    "egg-ci": "^1.5.0",
     "eslint": "^3.2.2",
     "eslint-config-egg": "^3.2.0",
     "tape": "^4.6.0"
@@ -35,6 +34,7 @@
     "index.js"
   ],
   "ci": {
-    "version": "4, 6, 7"
+    "type": "github",
+    "version": "6, 8, 10, 12, 14, 16"
   }
 }
diff --git a/test/index.js b/test/index.js
@@ -619,3 +619,18 @@ test('works without Array.isArray', function (t) {
   Array.isArray = savedIsArray;
   t.end();
 });
+
+test('fix __proto__ copy', function (t) {
+  var r = extend(true, {}, JSON.parse('{"__proto__": {"polluted": "yes"}}'));
+  t.deepEqual(
+    JSON.stringify(r),
+    '{}',
+    'It should not copy __proto__'
+  );
+  t.deepEqual(
+    ''.polluted,
+    undefined,
+    'It should not affect object prototype'
+  );
+  t.end();
+});
