back port patch for 4.0.1

jonschlinkert · Aug 16, 2022 · 09c4b10 · 09c4b10
1 parent 8353e4d
commit 09c4b10
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/index.js b/index.js
@@ -99,6 +99,10 @@ function createKey(pattern, options) {
 }
 
 function isValidKey(key) {
+  if (typeof key !== 'string' && typeof key !== 'number') {
+    key = String(key);
+  }
+
   return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
 }
 

diff --git a/test.js b/test.js
@@ -210,3 +210,12 @@ describe('options', function() {
     assert.equal(o.a['{b.c.d}'].e, 'c');
   });
 });
+
+describe('patches', function() {
+  it('should not allow setting an unsafe key', function() {
+    const o = {};
+    assert.equal({}.foo, undefined);
+    set(o, [['__proto__'], 'foo'], 'bar');
+    assert.equal({}.foo, undefined);
+  });
+});