Do not report "constructor" es duplicate key

prantlf · prantlf · commit eb357141820c · 2024-08-09T21:49:02.000+02:00
Check only own object keys for duplicates. Not keys from the prototype. Fixes the original part of #23.
diff --git a/src/custom-parser.js b/src/custom-parser.js
@@ -35,6 +35,8 @@ const unescapeMap = {
   '/': '/'
 }
 
+const ownsProperty = Object.prototype.hasOwnProperty
+
 function parseInternal (input, options) {
   if (typeof input !== 'string' || !(input instanceof String)) {
     input = String(input)
@@ -318,7 +320,7 @@ function parseInternal (input, options) {
     while (position < inputLength) {
       skipWhiteSpace()
       const key = parseKey()
-      if (allowDuplicateObjectKeys === false && result[key]) {
+      if (allowDuplicateObjectKeys === false && ownsProperty.call(result, key)) {
         fail(`Duplicate key: "${key}"`)
       }
       skipWhiteSpace()
diff --git a/test/parse2.js b/test/parse2.js
@@ -157,6 +157,17 @@ test('duplicate keys', function () {
   })
 })
 
+test('no duplicate key "constructor"', function () {
+  assert.deepEqual(parse('{ "constructor": 1 }'), { constructor: 1 })
+  parse('{ "constructor": 1 }', { allowDuplicateObjectKeys: false })
+})
+
+test('no prototype pollution', function () {
+  const parsed = parse('{ "__proto__": { "polluted": true } }')
+  assert.deepEqual(parsed, JSON.parse('{ "__proto__": { "polluted": true } }'))
+  assert.notDeepEqual(parsed, { polluted: true })
+})
+
 test('random numbers', function () {
   for (let i = 0; i < 100; ++i) {
     const str = '-01.e'.split('')
