Merge pull request #237 from richardgirges/fix-236-proto-pollution

Fix prototype pollution issue in `processNested`

Author: richardgirges

lib/processNested.js

@@ -1,3 +1,5 @@
+const INVALID_KEYS = ['__proto__'];
+
 module.exports = function(data){
   if (!data || data.length < 1) return {};
 
@@ -11,10 +13,16 @@ module.exports = function(data){
       keyParts = key
         .replace(new RegExp(/\[/g), '.')
         .replace(new RegExp(/\]/g), '')
-        .split('.');
-  
+        .split('.');  
+
     for (let index = 0; index < keyParts.length; index++){
       let k = keyParts[index];
+
+      // Ensure we don't allow prototype pollution
+      if (INVALID_KEYS.includes(k)) {
+        continue;
+      }
+
       if (index >= keyParts.length - 1){
         current[k] = value;
       } else {