From 688c46afe099b44512665dee6263eacd9f4f71a8 Mon Sep 17 00:00:00 2001
From: arjunshibu <arjunshibu1999@gmail.com>
Date: Mon, 23 Nov 2020 20:36:48 +0530
Subject: [PATCH] Security fix for prototype pollution

---
 packages/convict/src/main.js | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/packages/convict/src/main.js b/packages/convict/src/main.js
index 5aad9325..9ee31fe9 100644
--- a/packages/convict/src/main.js
+++ b/packages/convict/src/main.js
@@ -561,8 +561,10 @@ const convict = function convict(def, opts) {
       const path = k.split('.')
       const childKey = path.pop()
       const parentKey = path.join('.')
-      const parent = walk(this._instance, parentKey, true)
-      parent[childKey] = v
+      if (!(parentKey == '__proto__' || parentKey == 'constructor' || parentKey == 'prototype')) {
+        const parent = walk(this._instance, parentKey, true)
+        parent[childKey] = v 
+      }
       return this
     },