From 13c01a5327736903704984b7f65616b8476850cc Mon Sep 17 00:00:00 2001
From: substack <substack@bits.coop>
Date: Tue, 10 Mar 2020 09:04:33 -1000
Subject: [PATCH 1/3] more failing proto pollution tests

---
 test/proto.js | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/test/proto.js b/test/proto.js
index 87490c3..a2499ec 100644
--- a/test/proto.js
+++ b/test/proto.js
@@ -5,5 +5,33 @@ test('proto pollution', function (t) {
     var argv = parse(['--__proto__.x','123']);
     t.equal({}.x, undefined);
     t.equal(argv.__proto__.x, 123);
+    t.equal(argv.x, undefined);
+    t.end();
+});
+
+test('proto pollution (array)', function (t) {
+    var argv = parse(['--x','4','--x','5','--x.__proto__.z','789']);
+    t.equal({}.z, undefined);
+    t.deepEqual(argv.x, [4,5]);
+    t.equal(argv.x.z, undefined);
+    t.equal(argv.x.__proto__.z, 789);
+    t.end();
+});
+
+test('proto pollution (number)', function (t) {
+    var argv = parse(['--x','5','--x.__proto__.z','100']);
+    t.equal({}.z, undefined);
+    t.equal((4).z, undefined);
+    t.equal(argv.x, 5);
+    t.equal(argv.x.z, undefined);
+    t.end();
+});
+
+test('proto pollution (string)', function (t) {
+    var argv = parse(['--x','abc','--x.__proto__.z','def']);
+    t.equal({}.z, undefined);
+    t.equal('...'.z, undefined);
+    t.equal(argv.x, 'abc');
+    t.equal(argv.x.z, undefined);
     t.end();
 });

From 38a4d1caead72ef99e824bb420a2528eec03d9ab Mon Sep 17 00:00:00 2001
From: substack <substack@bits.coop>
Date: Tue, 10 Mar 2020 09:08:00 -1000
Subject: [PATCH 2/3] even more aggressive checks for protocol pollution

---
 index.js      | 14 +++++++++++---
 test/proto.js |  4 ++--
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/index.js b/index.js
index 3b13f44..d2afe5e 100644
--- a/index.js
+++ b/index.js
@@ -68,13 +68,21 @@ module.exports = function (args, opts) {
 
     function setKey (obj, keys, value) {
         var o = obj;
-        keys.slice(0,-1).forEach(function (key) {
+        for (var i = 0; i < keys.length-1; i++) {
+            var key = keys[i];
+            if (key === '__proto__') return;
             if (o[key] === undefined) o[key] = {};
-            if (o[key] === {}.__proto__) o[key] = {};
+            if (o[key] === Object.prototype || o[key] === Number.prototype
+                || o[key] === String.prototype) o[key] = {};
+            if (o[key] === Array.prototype) o[key] = [];
             o = o[key];
-        });
+        }
 
         var key = keys[keys.length - 1];
+        if (key === '__proto__') return;
+        if (o === Object.prototype || o === Number.prototype
+            || o === String.prototype) o = {};
+        if (o === Array.prototype) o = [];
         if (o[key] === undefined || flags.bools[key] || typeof o[key] === 'boolean') {
             o[key] = value;
         }
diff --git a/test/proto.js b/test/proto.js
index a2499ec..7713559 100644
--- a/test/proto.js
+++ b/test/proto.js
@@ -4,7 +4,7 @@ var test = require('tape');
 test('proto pollution', function (t) {
     var argv = parse(['--__proto__.x','123']);
     t.equal({}.x, undefined);
-    t.equal(argv.__proto__.x, 123);
+    t.equal(argv.__proto__.x, undefined);
     t.equal(argv.x, undefined);
     t.end();
 });
@@ -14,7 +14,7 @@ test('proto pollution (array)', function (t) {
     t.equal({}.z, undefined);
     t.deepEqual(argv.x, [4,5]);
     t.equal(argv.x.z, undefined);
-    t.equal(argv.x.__proto__.z, 789);
+    t.equal(argv.x.__proto__.z, undefined);
     t.end();
 });
 

From 6457d7440a47f329c12c4a5abfbce211c4235b93 Mon Sep 17 00:00:00 2001
From: substack <substack@bits.coop>
Date: Tue, 10 Mar 2020 09:08:08 -1000
Subject: [PATCH 3/3] 1.2.3

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 1750cc2..8c70ca3 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "minimist",
-  "version": "1.2.2",
+  "version": "1.2.3",
   "description": "parse argument options",
   "main": "index.js",
   "devDependencies": {