From 50128841fa7fc2d137c36a397054279144caea3d Mon Sep 17 00:00:00 2001
From: Eric Dobbertin <aldeed@gmail.com>
Date: Tue, 6 Oct 2020 19:10:28 +0000
Subject: [PATCH] fix: protect obj merge

---
 package/lib/SimpleSchema.tests.js | 8 ++++++++
 package/lib/utility/merge.js      | 1 +
 2 files changed, 9 insertions(+)

diff --git a/package/lib/SimpleSchema.tests.js b/package/lib/SimpleSchema.tests.js
index 5f66626..ae6c14a 100644
--- a/package/lib/SimpleSchema.tests.js
+++ b/package/lib/SimpleSchema.tests.js
@@ -49,6 +49,14 @@ describe('SimpleSchema', function () {
     }).toThrow('"someArray" is Array type but the schema does not include a "someArray.$" definition for the array items');
   });
 
+  it('does not allow prototype pollution', function () {
+    const obj = {};
+    expect(obj.polluted).toBe(undefined);
+    const badObj = JSON.parse('{"__proto__":{"polluted":"yes"}}');
+    SimpleSchema.setDefaultMessages(badObj);
+    expect(obj.polluted).toBe(undefined);
+  });
+
   describe('nesting', function () {
     it('throws an error if a nested schema defines a field that its parent also defines', function () {
       expect(function () {
diff --git a/package/lib/utility/merge.js b/package/lib/utility/merge.js
index 8f630c8..d18d4d5 100644
--- a/package/lib/utility/merge.js
+++ b/package/lib/utility/merge.js
@@ -11,6 +11,7 @@
 export default function merge(destination, ...sources) {
   sources.forEach((source) => {
     Object.keys(source).forEach((prop) => {
+      if (prop === '__proto__') return; // protect against prototype pollution
       if (
         source[prop]
         && source[prop].constructor