From db70fe9bcbba451e9f8bd794a9fa7cdfa00125ad Mon Sep 17 00:00:00 2001
From: David Worms <david@adaltas.com>
Date: Thu, 16 Sep 2021 21:33:30 +0200
Subject: [PATCH] fix: prevent code injection in copying properties

---
 CHANGELOG.md      | 4 ++++
 dist/mixme.cjs.js | 5 ++++-
 dist/mixme.esm.js | 5 ++++-
 dist/mixme.umd.js | 5 ++++-
 lib/index.js      | 5 ++++-
 src/index.coffee  | 5 ++++-
 6 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c6a6324..72c77e5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,10 @@
 
 # Changelog
 
+## Trunk
+
+* fix: prevent code injection in copying properties
+
 ## Version 0.5.1
 
 * fix: dont pollute object proto #1
diff --git a/dist/mixme.cjs.js b/dist/mixme.cjs.js
index c071ccf..f86ee9c 100644
--- a/dist/mixme.cjs.js
+++ b/dist/mixme.cjs.js
@@ -50,7 +50,10 @@ exports.mutate = function mutate() {
       }
 
       for (name in source) {
-        if (name === '__proto__') {
+        if (/__proto__|constructor|prototype|eval|function|\*|\+|;|\s|\(|\)|!/.test(name)) {
+          // See
+          // https://github.com/adaltas/node-mixme/issues/1
+          // https://github.com/adaltas/node-mixme/issues/2
           continue;
         }
 
diff --git a/dist/mixme.esm.js b/dist/mixme.esm.js
index e4adb55..371904a 100644
--- a/dist/mixme.esm.js
+++ b/dist/mixme.esm.js
@@ -46,7 +46,10 @@ _mutate = function mutate() {
       }
 
       for (name in source) {
-        if (name === '__proto__') {
+        if (/__proto__|constructor|prototype|eval|function|\*|\+|;|\s|\(|\)|!/.test(name)) {
+          // See
+          // https://github.com/adaltas/node-mixme/issues/1
+          // https://github.com/adaltas/node-mixme/issues/2
           continue;
         }
 
diff --git a/dist/mixme.umd.js b/dist/mixme.umd.js
index 28adeb2..4499064 100644
--- a/dist/mixme.umd.js
+++ b/dist/mixme.umd.js
@@ -52,7 +52,10 @@
         }
 
         for (name in source) {
-          if (name === '__proto__') {
+          if (/__proto__|constructor|prototype|eval|function|\*|\+|;|\s|\(|\)|!/.test(name)) {
+            // See
+            // https://github.com/adaltas/node-mixme/issues/1
+            // https://github.com/adaltas/node-mixme/issues/2
             continue;
           }
 
diff --git a/lib/index.js b/lib/index.js
index 261b402..00eb424 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -27,7 +27,10 @@ mutate = function() {
         target = {};
       }
       for (name in source) {
-        if (name === '__proto__') {
+        if (/__proto__|constructor|prototype|eval|function|\*|\+|;|\s|\(|\)|!/.test(name)) {
+          // See
+          // https://github.com/adaltas/node-mixme/issues/1
+          // https://github.com/adaltas/node-mixme/issues/2
           continue;
         }
         target[name] = mutate(target[name], source[name]);
diff --git a/src/index.coffee b/src/index.coffee
index 155446a..c138cf0 100644
--- a/src/index.coffee
+++ b/src/index.coffee
@@ -19,7 +19,10 @@ mutate = ->
     if is_object_literal source
       target = {} unless is_object_literal target
       for name of source
-        continue if name is '__proto__'
+        # See
+        # https://github.com/adaltas/node-mixme/issues/1
+        # https://github.com/adaltas/node-mixme/issues/2
+        continue if /__proto__|constructor|prototype|eval|function|\*|\+|;|\s|\(|\)|!/.test name
         target[name] = mutate target[name], source[name]
     else if Array.isArray source
       target = for v in source