fix prototype pollution

Author: chgeo

tools/cds-lint/components/PlaygroundBadge.vue

@@ -33,21 +33,12 @@ export default [
 
 const defaultPackageJson = JSON.parse(data['package.json']);
 
-function mergeJSONs(target: any, add: any) {
-    const isObject = (obj: unknown) => typeof obj === 'object';
-    Object.entries(add).forEach(([key, addVal]) => {
-        const targetVal = target[key];
-        if (targetVal && isObject(targetVal) && isObject(addVal)) {
-            if ((Array.isArray(targetVal) && Array.isArray(addVal))) {
-                targetVal.push(...addVal);
-                return;
-            }
-            mergeJSONs(targetVal, addVal);
-        } else {
-            target[key] = addVal;
-        }
-    });
-    return target;
+const is_object = x => typeof x === 'object' && x !== null && !Array.isArray(x)
+function merge (o:any,...xs:any) {
+  let v:any; for (let x of xs) for (let k in x)
+    if (k === '__proto__' || k === 'constructor') continue //> avoid prototype pollution
+    else o[k] = is_object(v=x[k]) ? merge(o[k]??={},v) : v
+  return o
 }
 
 function link(name: Props['name'] = "", kind: Props['kind'], rules?: Props['rules'], files?: Props['files'], packages?: Props['packages'] ): string {
@@ -66,7 +57,7 @@ function link(name: Props['name'] = "", kind: Props['kind'], rules?: Props['rule
     sources[configFileName] = defaultConfig;
   }
   if (packages) {
-    json = mergeJSONs(defaultPackageJson, packages);
+    json = merge(defaultPackageJson, packages);
   } else {
     json = defaultPackageJson;
   }