manuelstofer · Nov 11, 2021 · Feb 17, 2022 · Feb 17, 2022
Showing with 2,179 additions and 1 deletion.

+3 −0 index.js

+2,166 −0 package-lock.json

+1 −1 package.json

+9 −0 test/test.js
diff --git a/index.js b/index.js
@@ -75,6 +75,9 @@ api.set = function set (obj, pointer, value) {
 
     for (var i = 0; i < refTokens.length - 1; ++i) {
         var tok = refTokens[i];
+        if (typeof tok !== 'string' && typeof tok !== 'number') {
+          tok = String(tok)
+        }
         if (tok === "__proto__" || tok === "constructor" || tok === "prototype") {
             continue
         }

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "json-pointer",
   "description": "Some utilities for JSON pointers described by RFC 6901",
-  "version": "0.6.1",
+  "version": "0.6.2",
   "author": "Manuel Stofer <manuel@smallpdf.com>",
   "license": "MIT",
   "dependencies": {

diff --git a/test/test.js b/test/test.js
@@ -446,6 +446,15 @@ describe('convenience api wrapper', function() {
         expect(obj2.polluted).to.be.undefined();
     });
 
+    it('should not set __proto__ (array)', function () {
+        var obj = {}, objPointer = pointer(obj);
+        expect(obj.polluted).to.be.undefined();
+        objPointer.set([['__proto__'], 'polluted'], true);
+        expect(obj.polluted).to.be.undefined();
+        var obj2 = {};
+        expect(obj2.polluted).to.be.undefined();
+    });
+
     it('should not set prototype', function () {
         var obj = {}, objPointer = pointer(obj);
         expect(obj.polluted).to.be.undefined();