From 47dae1d369a25bd9bdcdbc963b8699b89a882c81 Mon Sep 17 00:00:00 2001
From: Heitham Omar <hhomar@gmail.com>
Date: Thu, 11 Nov 2021 12:32:31 +0000
Subject: [PATCH] Fix prototype pollution when pointer is not a string or
 number

---
 index.js     | 3 +++
 test/test.js | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/index.js b/index.js
index 7a10350..afda009 100644
--- a/index.js
+++ b/index.js
@@ -75,6 +75,9 @@ api.set = function set (obj, pointer, value) {
 
     for (var i = 0; i < refTokens.length - 1; ++i) {
         var tok = refTokens[i];
+        if (typeof tok !== 'string' && typeof tok !== 'number') {
+          tok = String(tok)
+        }
         if (tok === "__proto__" || tok === "constructor" || tok === "prototype") {
             continue
         }
diff --git a/test/test.js b/test/test.js
index c5551c0..1be310d 100644
--- a/test/test.js
+++ b/test/test.js
@@ -446,6 +446,15 @@ describe('convenience api wrapper', function() {
         expect(obj2.polluted).to.be.undefined();
     });
 
+    it('should not set __proto__ (array)', function () {
+        var obj = {}, objPointer = pointer(obj);
+        expect(obj.polluted).to.be.undefined();
+        objPointer.set([['__proto__'], 'polluted'], true);
+        expect(obj.polluted).to.be.undefined();
+        var obj2 = {};
+        expect(obj2.polluted).to.be.undefined();
+    });
+
     it('should not set prototype', function () {
         var obj = {}, objPointer = pointer(obj);
         expect(obj.polluted).to.be.undefined();