From 353e3454295f906364af9330eeb8216bc719ce5f Mon Sep 17 00:00:00 2001
From: test <chdeluo@gmail.com>
Date: Tue, 31 Mar 2026 09:49:15 +0800
Subject: [PATCH] fix prototype pollution caused by a malicious csv file

---
 index.js | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/index.js b/index.js
index c0b9e45..becc547 100644
--- a/index.js
+++ b/index.js
@@ -17,6 +17,14 @@ const defaults = {
   strict: false,
   outputByteOffset: false
 }
+const DANGEROUS_KEYS = new Set(['__proto__', 'constructor', 'prototype'])
+
+function sanitizeHeader (header) {
+  if (DANGEROUS_KEYS.has(header)) {
+    return null
+  }
+  return header
+}
 
 class CsvParser extends Transform {
   constructor (opts = {}) {
@@ -155,7 +163,11 @@ class CsvParser extends Transform {
 
     if (this.state.first && !skip) {
       this.state.first = false
-      this.headers = cells.map((header, index) => mapHeaders({ header, index }))
+      // this.headers = cells.map((header, index) => mapHeaders({ header, index }))
+      this.headers = cells.map((header, index) => {
+        const mapped = mapHeaders({ header, index })
+        return mapped === null ? null : sanitizeHeader(mapped)
+      }
 
       this.emit('headers', this.headers)
       return