fix(deepMerge): prototype pollution

Author: antfu

src/object.test.ts

@@ -51,4 +51,16 @@ describe('deepMerge', () => {
  const obj2 = { a: ['C'], b: ['D'] }
  expect(deepMerge({}, obj1, obj2)).toEqual({ a: ['C'], b: ['D'] })
  })
+
+ it('prototype pollution 1', () => {
+ const obj = {} as any
+ const obj2 = {} as any
+ const payload = JSON.parse('{"__proto__":{"polluted":"Polluted!"}}')
+
+ expect(obj.polluted).toBeUndefined()
+ expect(obj2.polluted).toBeUndefined()
+ deepMerge(obj, payload)
+ expect(obj.polluted).toBeUndefined()
+ expect(obj2.polluted).toBeUndefined()
+ })
 })

src/object.ts

@@ -82,6 +82,9 @@ export function deepMerge<T extends object = object, S extends object = T>(targe
 
  if (isMergableObject(target) && isMergableObject(source)) {
  objectKeys(source).forEach((key) => {
+ if (key === '__proto__' || key === 'constructor' || key === 'prototype')
+ return
+
  // @ts-expect-error
  if (isMergableObject(source[key])) {
  // @ts-expect-error