Use Object.create(null)

visnup · visnup · commit fe6a1b433a83 · 2021-09-15T15:02:15.000-07:00
diff --git a/src/xlsx.js b/src/xlsx.js
@@ -34,15 +34,12 @@ function extract(sheet, {range, headers} = {}) {
 
   const output = new Array(r1 - r0 + 1);
   for (let r = r0; r <= r1; r++) {
-    // Should we be using Object.create(null) instead of an empty object here?
-    const row = (output[r - r0] = Object.defineProperty({}, "#", { // what is this non-enumerable row["#"] property for?
-      value: r + 1,
-    }));
+    const row = (output[r - r0] = Object.create(null, {"#": {value: r + 1}}));
     const _row = sheet._rows[r]; // is this an internal ExcelJS API? why not sheet.getRow(r)?
     if (_row && _row.hasValues)
       for (let c = c0; c <= c1; c++) {
         const value = valueOf(_row._cells[c]); // internal ExcelJS API?
-        if (value != null) row[names[c + 1]] = value; // what if the name is “__proto__” e.g.?
+        if (value != null) row[names[c + 1]] = value;
       }
   }
 
diff --git a/test/xlsx-test.js b/test/xlsx-test.js
@@ -276,3 +276,13 @@ test("FileAttachment.xlsx derives column names such as A AA AAA…", (t) => {
   );
   t.end();
 });
+
+test("FileAttachment.sheet headers protects __proto__ of row objects", (t) => {
+  const workbook = new Workbook(
+    mockWorkbook({
+      Sheet1: [["__proto__"], [{a: 1}]],
+    })
+  );
+  t.notEqual(workbook.sheet(0, {headers: true})[0].a, 1);
+  t.end();
+});
