From f95f38e9b21f6eed6241c0ea40943acbf93318f2 Mon Sep 17 00:00:00 2001
From: Arjun Shibu <arjunshibu1999@gmail.com>
Date: Wed, 6 Jan 2021 16:07:06 +0530
Subject: [PATCH] Security fix for Prototype Pollution

---
 src/core.js | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/core.js b/src/core.js
index ed1f18e..0556a11 100644
--- a/src/core.js
+++ b/src/core.js
@@ -42,14 +42,18 @@ function _deepObjectTraverse(target, path, create = true) {
 		if (!_isObject(target[step])) {
 			if (create) target[step] = {};
 			else return undefined;
-		}
+		} else if (isPrototypePolluted(step)) continue;
 		target = target[step];
 	}
 	return target;
 }
 
+function isPrototypePolluted(key) {
+    return ['__proto__', 'constructor', 'prototype'].includes(key);
+}
+
 module.exports = {
   _deepObjectOperation,
   _isObject,
   _deepObjectTraverse
-}
\ No newline at end of file
+}