set-in/index.js at master · ahdinosaur/set-in · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
var assert = require('assert')

module.exports = setIn

function setIn (object, path, value) {
  assert.equal(typeof object, 'object', 'setIn: expected object as first argument.')
  assert.ok(Array.isArray(path), 'setIn: expected array path as second argument.')
  assert.ok(
    path.every(p => typeof p === 'number' || typeof p === 'string'),
    'setIn: expected array path (of strings and numbers) as second argument.'
  )

  return recursivelySetIn(object, path, value, 0)
}

function recursivelySetIn (object, path, value, index) {
  if (index === path.length) {
    return value
  }

  object = object || {}

  var key = path[index]

  // CVE-2020-28273
  assert.ok(
    key !== 'constructor' && key !== 'prototype' && key !== '__proto__',
    `setIn: ${key} is disallowed in path due to possible prototype pollution attack.`
  )

  if (key === '-') {
    assert.ok(Array.isArray(object), 'setIn: "-" in path must correspond to array.')
    key = object.length
  }

  var next = recursivelySetIn(object[key], path, value, ++index)

  set(object, key, next)

  return object
}

function set (object, key, value) {
  object[key] = value
  return object
}