Create Objects without prototypes.

This generally helps mitigate prototype pollution: even if another
library allows prototype pollution, ejs will not allow escalating this
into Remote Code Execution.

Author: nicdumz

lib/ejs.js

@@ -306,7 +306,7 @@ function fileLoader(filePath){
  */
 
 function includeFile(path, options) {
-  var opts = utils.shallowCopy({}, options);
+  var opts = utils.shallowCopy(Object.create(null), options);
   opts.filename = getIncludePath(path, opts);
   if (typeof options.includer === 'function') {
     var includerResult = options.includer(path, opts.filename);
@@ -412,8 +412,8 @@ exports.compile = function compile(template, opts) {
  */
 
 exports.render = function (template, d, o) {
-  var data = d || {};
-  var opts = o || {};
+  var data = d || Object.create(null);
+  var opts = o || Object.create(null);
 
   // No options object -- if there are optiony names
   // in the data, copy them to options
@@ -484,7 +484,7 @@ exports.renderFile = function () {
     opts.filename = filename;
   }
   else {
-    data = {};
+    data = Object.create(null);
   }
 
   return tryHandleCache(opts, data, cb);
@@ -506,8 +506,8 @@ exports.clearCache = function () {
 };
 
 function Template(text, opts) {
-  opts = opts || {};
-  var options = {};
+  opts = opts || Object.create(null);
+  var options = Object.create(null);
   this.templateText = text;
   /** @type {string | null} */
   this.mode = null;
@@ -597,7 +597,8 @@ Template.prototype = {
         throw new Error('localsName is not a valid JS identifier.');
       }
       if (opts.destructuredLocals && opts.destructuredLocals.length) {
-        var destructuring = '  var __locals = (' + opts.localsName + ' || {}),\n';
+        var destructuring = '  var __locals = (' + opts.localsName +
+          ' || Object.create(null)),\n';
         for (var i = 0; i < opts.destructuredLocals.length; i++) {
           var name = opts.destructuredLocals[i];
           if (!_JS_IDENTIFIER.test(name)) {
@@ -611,7 +612,8 @@ Template.prototype = {
         prepended += destructuring + ';\n';
       }
       if (opts._with !== false) {
-        prepended +=  '  with (' + opts.localsName + ' || {}) {' + '\n';
+        prepended +=  '  with (' + opts.localsName
+          + ' || Object.create(null)) {' + '\n';
         appended += '  }' + '\n';
       }
       appended += '  return __output;' + '\n';
@@ -693,13 +695,14 @@ Template.prototype = {
     // Adds a local `include` function which allows full recursive include
     var returnedFn = opts.client ? fn : function anonymous(data) {
       var include = function (path, includeData) {
-        var d = utils.shallowCopy({}, data);
+        var d = utils.shallowCopy(Object.create(null), data);
         if (includeData) {
           d = utils.shallowCopy(d, includeData);
         }
         return includeFile(path, opts)(d);
       };
-      return fn.apply(opts.context, [data || {}, escapeFn, include, rethrow]);
+      return fn.apply(opts.context,
+          [data || Object.create(null), escapeFn, include, rethrow]);
     };
     if (opts.filename && typeof Object.defineProperty === 'function') {
       var filename = opts.filename;