Due to wrong regex shvl is still vulnerable to prototype pollution

[vrechson]

As I reported here: https://www.huntr.dev/bounties/2-other-robinvdvleuten/shvl/, shvl is still vulnerable to prototype pollution. I believe that changing !/^(__proto__|constructor|prototype)$/ to !/(__proto__|constructor|prototype)/ is enough to solve the problem but i prefer to keep it open to discussion

[robinvdvleuten]

Yes your correct @vrechson, the regex was insufficient. Could you add an additional testcase as well?

[vrechson]

Yes your correct @vrechson, the regex was insufficient. Could you add an additional testcase as well?

Yes, of course! I'll came up with complete test cases in the next few days.

[vrechson]

Hi @robinvdvleuten, this should be enough

[vrechson]

Hi, I also read the discussion in this pull request that led to the wrong fix and saw that some people pointed that if we simple remove ^ and $ this would also make shvl stop working with paths like a.b.myconstructor and a.___proto___.b (three underscores). In order to not break the result in cases like these I proposed a better fix and added two new test cases.

[Ancient-Dragon]

Hey guys, is there any update on this PR?

[vrechson]

@Ancient-Dragon still waiting for @robinvdvleuten revision

[robinvdvleuten]

Thanks @vrechson!

[robinvdvleuten]

@all-contributors please add @vrechson for code

[allcontributors]

@robinvdvleuten

I've put up a pull request to add @vrechson! 🎉