fix: encode/decode proto pollution

Moumouls · Moumouls · commit 7273d8584b28 · 2025-10-10T11:49:55.000+02:00
diff --git a/src/decode.ts b/src/decode.ts
@@ -49,7 +49,9 @@ export default function decode(value: any): any {
   }
   const copy = {};
   for (const k in value) {
-    copy[k] = decode(value[k]);
+    if (Object.prototype.hasOwnProperty.call(value, k)) {
+      copy[k] = decode(value[k]);
+    }
   }
   return copy;
 }
diff --git a/src/encode.ts b/src/encode.ts
@@ -71,7 +71,10 @@ function encode(
   if (value && typeof value === 'object') {
     const output = {};
     for (const k in value) {
-      output[k] = encode(value[k], disallowObjects, forcePointers, seen, offline);
+      // Only iterate over own properties
+      if (Object.prototype.hasOwnProperty.call(value, k)) {
+        output[k] = encode(value[k], disallowObjects, forcePointers, seen, offline);
+      }
     }
     return output;
   }

Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,9 @@ export default function decode(value: any): any {`
`49`	`49`	`}`
`50`	`50`	`const copy = {};`
`51`	`51`	`for (const k in value) {`
`52`		`- copy[k] = decode(value[k]);`
	`52`	`+ if (Object.prototype.hasOwnProperty.call(value, k)) {`
	`53`	`+ copy[k] = decode(value[k]);`
	`54`	`+ }`
`53`	`55`	`}`
`54`	`56`	`return copy;`
`55`	`57`	`}`
Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,10 @@ function encode(`
`71`	`71`	`if (value && typeof value === 'object') {`
`72`	`72`	`const output = {};`
`73`	`73`	`for (const k in value) {`
`74`		`- output[k] = encode(value[k], disallowObjects, forcePointers, seen, offline);`
	`74`	`+ // Only iterate over own properties`
	`75`	`+ if (Object.prototype.hasOwnProperty.call(value, k)) {`
	`76`	`+ output[k] = encode(value[k], disallowObjects, forcePointers, seen, offline);`
	`77`	`+ }`
`75`	`78`	`}`
`76`	`79`	`return output;`
`77`	`80`	`}`