Description: rudimentary __proto__ guarding
Author: Mick Hansen <maker@mhansen.io>
Origin: upstream, https://github.com/mickhansen/dottie.js/commit/7d3aee1c
Bug: https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763
Bug-Debian: https://bugs.debian.org/1040592
Forwarded: not-needed
Applied-Upstream: 2.0.6, commit:7d3aee1c
Reviewed-By: Yadd <yadd@debian.org>
Last-Update: 2023-07-09

--- a/README.md
+++ b/README.md
@@ -42,6 +42,8 @@
 });
 ```
 
+If you accept arbitrary/user-defined paths to `set` you should call `Object.preventExtensions(values)` first to guard against potential pollution.
+
 ### Transform object
 Transform object from keys with dottie notation to nested objects
 
--- a/dottie.js
+++ b/dottie.js
@@ -72,6 +72,7 @@
   // Set nested value
   Dottie.set = function(object, path, value, options) {
     var pieces = Array.isArray(path) ? path : path.split('.'), current = object, piece, length = pieces.length;
+    if (pieces[0] === '__proto__') return;
 
     if (typeof current !== 'object') {
         throw new Error('Parent is not an object.');
@@ -137,6 +138,9 @@
 
       if (key.indexOf(options.delimiter) !== -1) {
         pieces = key.split(options.delimiter);
+
+        if (pieces[0] === '__proto__') break;
+
         piecesLength = pieces.length;
         current = transformed;
 
--- a/test/set.test.js
+++ b/test/set.test.js
@@ -45,4 +45,12 @@
     });
     expect(data.foo.bar.baz).to.equal('someValue');
   });
+
+  it('should not attempt to set __proto__', function () {
+    var data = {};
+
+    dottie.set(data, '__proto__.pollution', 'polluted');
+
+    expect(data.__proto__.pollution).to.be.undefined;
+  });
 });
\ No newline at end of file
--- a/test/transform.test.js
+++ b/test/transform.test.js
@@ -145,4 +145,16 @@
     expect(transformed.user.location.city).to.equal('Zanzibar City');
     expect(transformed.project.title).to.equal('dottie');
   });
+
+  it("should guard against prototype pollution", function () {
+    var values = {
+      'user.name': 'John Doe',
+      '__proto__.pollution': 'pollution'
+    };
+
+    var transformed = dottie.transform(values);
+    expect(transformed.user).not.to.equal(undefined);
+    expect(transformed.user.name).to.equal('John Doe');
+    expect(transformed.__proto__.pollution).to.be.undefined;
+  });
 });