Description: Fix prototype pollution
 Test is inspired from bug source
Author: Jon Schlinkert (https://github.com/jonschlinkert)
Origin: upstream, https://github.com/jonschlinkert/set-value/commit/cb12f149
Bug: https://snyk.io/vuln/SNYK-JS-SETVALUE-450213
Bug-Debian: https://bugs.debian.org/941189
Forwarded: not-needed
Reviewed-By: Xavier Guimard <yadd@debian.org>
Last-Update: 2019-09-26

--- a/index.js
+++ b/index.js
@@ -24,7 +24,7 @@
     return obj;
   }
 
-  var segs = path.split('.');
+  var segs = path.split('.').filter(isValidKey);
   var len = segs.length, i = -1;
   var res = obj;
   var last;
@@ -59,3 +59,7 @@
   }
   return res;
 };
+
+function isValidKey(key) {
+  return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
+}
--- a/test.js
+++ b/test.js
@@ -148,3 +148,18 @@
     assert.deepEqual(o, { 'e.f': { 'g.h.i': { j: 1 } } });
   });
 });
+
+describe('CVE-2019-10747', function() {
+  it("shouldn't pollute prototype", function() {
+    var paths = [
+      'constructor.prototype.a0',
+      '__proto__.a1',
+    ];
+    for (const p of paths) {
+      set({}, p, true);
+    }
+    for (let i = 0; i < paths.length; i++) {
+      assert.equal(({})[`a${i}`], null);
+    }
+  });
+});