fix: protect against prototype pollution

Author: andris9

.ncurc.js

@@ -10,6 +10,7 @@ module.exports = {
         'undici',
 
         // fix later
-        'eslint'
+        'eslint',
+        'eslint-config-prettier'
     ]
 };

lib/bimi/index.js

@@ -13,7 +13,9 @@ const httpsSchema = Joi.string().uri({
 const FETCH_TIMEOUT = 5 * 1000;
 
 const { fetch: fetchCmd, Agent } = require('undici');
-const fetchAgent = new Agent({ connect: { timeout: FETCH_TIMEOUT } });
+const fetchAgent = new Agent({
+    connect: { timeout: FETCH_TIMEOUT }
+});
 
 const { vmc } = require('@postalsys/vmc');
 const { validateSvg } = require('./validate-svg');

lib/parse-dkim-headers.js

@@ -279,13 +279,15 @@ const headerParser = buf => {
                 entry.comment = part.comment;
             }
 
-            if (['arc-authentication-results', 'authentication-results'].includes(headerKey) && part.key === 'dkim') {
-                if (!result[part.key]) {
-                    result[part.key] = [];
+            if (part.key && !['__proto__', 'constructor'].includes(part.key)) {
+                if (['arc-authentication-results', 'authentication-results'].includes(headerKey) && part.key === 'dkim') {
+                    if (!result[part.key]) {
+                        result[part.key] = [];
+                    }
+                    result[part.key].push(entry);
+                } else {
+                    result[part.key] = entry;
                 }
-                result[part.key].push(entry);
-            } else {
-                result[part.key] = entry;
             }
         });