Merge pull request #7 from rgrove/fix-hasOwnProperty

Don't assume `hasOwnProperty` is safe

Author: hueniverse

lib/index.js

@@ -1,5 +1,6 @@
 'use strict';
 
+const hasOwnProperty = Object.prototype.hasOwnProperty;
 
 const internals = {
     suspectRx: /"(?:_|\\u005f)(?:_|\\u005f)(?:p|\\u0070)(?:r|\\u0072)(?:o|\\u006f)(?:t|\\u0074)(?:o|\\u006f)(?:_|\\u005f)(?:_|\\u005f)"\s*\:/
@@ -65,7 +66,7 @@ exports.scan = function (obj, options) {
         next = [];
 
         for (const node of nodes) {
-            if (node.hasOwnProperty('__proto__')) {
+            if (hasOwnProperty.call(node, '__proto__')) {
                 if (options.protoAction !== 'remove') {
                     throw new SyntaxError('Object contains forbidden prototype property');
                 }

test/index.js

@@ -127,5 +127,14 @@ describe('Bourne', () => {
 
             expect(() => Bourne.scan(obj)).to.throw(SyntaxError);
         });
+
+        it('does not break when hasOwnProperty is overwritten', () => {
+
+            const text = '{ "a": 5, "b": 6, "hasOwnProperty": "text", "__proto__": { "x": 7 } }';
+            const obj = JSON.parse(text);
+
+            Bourne.scan(obj, { protoAction: 'remove' });
+            expect(obj).to.equal({ a: 5, b: 6, hasOwnProperty: 'text' });
+        });
     });
 });