From feaba562b812b21215897f71b0c8b3bf39cf8d7d Mon Sep 17 00:00:00 2001
From: Matt Hamann <mhamann@rownd.io>
Date: Sat, 9 Apr 2022 23:49:28 -0400
Subject: [PATCH] fix(security): prevent prototype pollution in memory store
 (#397)

---
 lib/nconf/stores/memory.js       | 2 +-
 test/stores/memory-store-test.js | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/nconf/stores/memory.js b/lib/nconf/stores/memory.js
index 6220438c..dead79b1 100644
--- a/lib/nconf/stores/memory.js
+++ b/lib/nconf/stores/memory.js
@@ -92,7 +92,7 @@ Memory.prototype.set = function (key, value) {
   //
   while (path.length > 1) {
     key = path.shift();
-    if (!target[key] || typeof target[key] !== 'object') {
+    if (!target[key] || typeof target[key] !== 'object' || !Object.hasOwnProperty.call(target, key)) {
       target[key] = {};
     }
 
diff --git a/test/stores/memory-store-test.js b/test/stores/memory-store-test.js
index 76489cac..0f8c6fa6 100644
--- a/test/stores/memory-store-test.js
+++ b/test/stores/memory-store-test.js
@@ -121,5 +121,12 @@ vows.describe('nconf/stores/memory').addBatch({
         assert.equal(store.get('foo').bar.bazz, 'buzz');
       }
     }
+  },
+  "When attempting prototype pollution": {
+    topic: new nconf.Memory(),
+    "should not be able to pollute the prototype": function (store) {
+      store.set('__proto__:polluted', 'yes');
+      assert.equal({}.polluted, undefined);
+    }
   }
 }).export(module);