From aa064de70e349b49c82bcb22f96eaa2ea9c01720 Mon Sep 17 00:00:00 2001 From: Jan Lehnardt Date: Sat, 16 May 2026 11:27:33 +0200 Subject: [PATCH] fix: filter __proto__ in utils.clone() --- packages/node_modules/pouchdb-utils/src/clone.js | 5 ++++- tests/unit/test.utils.js | 8 ++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/packages/node_modules/pouchdb-utils/src/clone.js b/packages/node_modules/pouchdb-utils/src/clone.js index fe4cf10bc0..294b91d10a 100644 --- a/packages/node_modules/pouchdb-utils/src/clone.js +++ b/packages/node_modules/pouchdb-utils/src/clone.js @@ -36,10 +36,13 @@ function clone(object) { newObject = {}; for (i in object) { /* istanbul ignore else */ - if (Object.prototype.hasOwnProperty.call(object, i)) { + if (Object.prototype.hasOwnProperty.call(object, i) && i !== '__proto__') { var value = clone(object[i]); if (typeof value !== 'undefined') { newObject[i] = value; + Object.defineProperty(newObject, i, { + value, writable: true, enumerable: true, configurable: true + }); } } } diff --git a/tests/unit/test.utils.js b/tests/unit/test.utils.js index 88402a4498..79ae65f80f 100644 --- a/tests/unit/test.utils.js +++ b/tests/unit/test.utils.js @@ -7,6 +7,7 @@ var normalizeDdocFunctionName = PouchDB.utils.normalizeDdocFunctionName; var parseDdocFunctionName = PouchDB.utils.parseDdocFunctionName; var createError = PouchDB.utils.createError; var errors = PouchDB.Errors; +var clone = PouchDB.utils.clone; describe('test.utils.js', function () { describe('the design doc function name normalizer', function () { @@ -44,4 +45,11 @@ describe('test.utils.js', function () { newError.reason.should.equal('love needs no message'); }); }); + describe('clone without __proto__', function () { + it ('clones', function () { + const input = '{ "__proto__": { "a": 1 } }'; + const output = clone(JSON.parse(input)); + Object.getPrototypeOf(output).should.equal(Object.prototype); + }); + }); });