Merge pull request #47 from janl/fix/proto

fix: prototype pollution

Author: janl

.travis.yml

@@ -1,13 +1,12 @@
 language: "node_js"
 node_js:
-  # keep latest first, so gk-lockfile can work its magic
-  # https://github.com/greenkeeperio/greenkeeper-lockfile#testing-multiple-node-versions
+  - 14.0
+  - 12.0
+  - 10.0
   - 8.0
-  - 6.0
-  - node
-before_install:
-# package-lock.json was introduced in npm@5
-- npm install -g npm@5
-- npm install -g greenkeeper-lockfile@1
-before_script: greenkeeper-lockfile-update
-after_script: greenkeeper-lockfile-upload
+install:
+  - npm install
+# Avoid double build on PRs (See https://github.com/travis-ci/travis-ci/issues/1147)
+branches:
+  only:
+    - master

README.md

@@ -1,8 +1,6 @@
-# JSON Pointer for nodejs
+# JSON Pointer for Node.js
 
-[![Greenkeeper badge](https://badges.greenkeeper.io/janl/node-jsonpointer.svg)](https://greenkeeper.io/)
-
-This is an implementation of [JSON Pointer](http://tools.ietf.org/html/draft-ietf-appsawg-json-pointer-08).
+This is an implementation of [JSON Pointer](https://tools.ietf.org/html/rfc6901).
 
 ## CLI
 
@@ -38,7 +36,7 @@ pointer.set(obj, 1) // sets obj.foo = 1
 
 ## Author
 
-(c) 2011-2015 Jan Lehnardt <jan@apache.org> & Marc Bachmann <https://github.com/marcbachmann>
+(c) 2011-2020 Jan Lehnardt <jan@apache.org> & Marc Bachmann <https://github.com/marcbachmann>
 
 ## License
 

jsonpointer.js

@@ -17,6 +17,9 @@ function setter (obj, pointer, value) {
   var part
   var hasNextPart
 
+  if (pointer[1] === 'constructor' && pointer[2] === 'prototype') return obj
+  if (pointer[1] === '__proto__') return obj
+
   for (var p = 1, len = pointer.length; p < len;) {
     part = untilde(pointer[p++])
     hasNextPart = len > p