fix: avoid prototype pollution

diff --git a/packages/pinia/src/store.ts b/packages/pinia/src/store.ts
index 5a23b475375a59b48df2bea46f110ecbb5ba3e88..5aad26e81f64139ade9521235235fbce9d3f33ad 100644 (file)
--- a/packages/pinia/src/store.ts
+++ b/packages/pinia/src/store.ts
@@ -59,11 +59,13 @@ function mergeReactiveObjects<T extends StateTree>(
 ): T {
   // no need to go through symbols because they cannot be serialized anyway
   for (const key in patchToApply) {
+    if (!patchToApply.hasOwnProperty(key)) continue
     const subPatch = patchToApply[key]
     const targetValue = target[key]
     if (
       isPlainObject(targetValue) &&
       isPlainObject(subPatch) &&
+      target.hasOwnProperty(key) &&
       !isRef(subPatch) &&
       !isReactive(subPatch)
     ) {

diff --git a/packages/testing/src/testing.ts b/packages/testing/src/testing.ts
index cef0bb333a1f10db772655b6a99ab9417eaeecf7..0eb594cd2bcac56ce93ed4ebda866c8cc6954253 100644 (file)
--- a/packages/testing/src/testing.ts
+++ b/packages/testing/src/testing.ts
@@ -139,11 +139,13 @@ function mergeReactiveObjects<T extends StateTree>(
 ): T {
   // no need to go through symbols because they cannot be serialized anyway
   for (const key in patchToApply) {
+    if (!patchToApply.hasOwnProperty(key)) continue
     const subPatch = patchToApply[key]
     const targetValue = target[key]
     if (
       isPlainObject(targetValue) &&
       isPlainObject(subPatch) &&
+      target.hasOwnProperty(key) &&
       !isRef(subPatch) &&
       !isReactive(subPatch)
     ) {