Test case covering the use of __proto__ as a section name

Closes #40

Author: steveukx

src/properties-reader.js

@@ -2,6 +2,8 @@ const {readFileSync, statSync} = require('fs');
 const propertyAppender = require('./property-appender').propertyAppender;
 const propertyWriter = require('./property-writer').propertyWriter;
 
+const has = Object.prototype.hasOwnProperty.call.bind(Object.prototype.hasOwnProperty);
+
 const SECTION = Symbol('SECTION');
 
 function PropertiesReader (sourceFile, encoding, options = {}) {
@@ -213,7 +215,12 @@ PropertiesReader.prototype.set = function (key, value) {
       if (expanded.length >= 1 && typeof source[step] === 'string') {
          source[step] = {'': source[step]};
       }
-      source = (source[step] = source[step] || {});
+
+      if (!has(source, step)) {
+         Object.defineProperty(source, step, { value: Object.create(null) });
+      }
+
+      source = source[step]
    }
 
    if (typeof parsedValue === 'string' && typeof  source[expanded[0]] === 'object') {

test/fix-prototype-pollution.spec.js

@@ -0,0 +1,28 @@
+const {createTestContext} = require('./__fixtues__/create-test-context');
+
+const propertiesReader = require('../');
+
+describe('prototype-pollution', () => {
+   let context;
+
+   beforeEach(async () => {
+      context = await createTestContext();
+   });
+
+   it('does not pollute global Object.prototype', async () => {
+      const file = `
+         [__proto__]
+            polluted = polluted
+            parsed = true
+      `;
+      const props = propertiesReader(await context.file('props.ini', file));
+
+      expect(({}).polluted).toBeUndefined();
+      expect(props.path().__proto__.polluted).toBe('polluted');
+      expect(props.getRaw('__proto__.polluted')).toBe('polluted');
+      expect(props.get('__proto__.polluted')).toBe('polluted');
+      expect(props.getRaw('__proto__.parsed')).toBe('true');
+      expect(props.get('__proto__.parsed')).toBe(true);
+   });
+
+});