fix: cookies prototype pollution

dist/cjs/index.cjs

@@ -343,6 +343,9 @@ function parseCookieString(input) {
   }
   return input.split(";").filter((v) => v !== "").map((v) => v.split("=")).reduce((cookies, tuple) => {
     const key = decodeURIComponent(tuple[0]).trim();
+    if (key === "__proto__" || key === "constructor" || key === "prototype") {
+      return cookies;
+    }
     const value = tuple[1] !== void 0 ? decodeURIComponent(tuple[1]).trim() : "";
     cookies[key] = value;
     return cookies;

src/utils/parse-cookie-string.js

@@ -26,6 +26,9 @@ export function parseCookieString(input) {
     .map(v => v.split('='))
     .reduce((cookies, tuple) => {
       const key = decodeURIComponent(tuple[0]).trim();
+      if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
+        return cookies;
+      }
       const value =
         tuple[1] !== undefined ? decodeURIComponent(tuple[1]).trim() : '';
       cookies[key] = value;

src/utils/parse-cookie-string.spec.js

@@ -39,4 +39,11 @@ describe('parseCookieString', function () {
     const result = parseCookieString('foo=bar; baz');
     expect(result).to.be.eql({foo: 'bar', baz: ''});
   });
+
+  it('should ignore prototype properties', function () {
+    const result = parseCookieString(
+      '__proto__=a; constructor=b; prototype=c; foo=bar',
+    );
+    expect(result).to.be.eql({foo: 'bar'});
+  });
 });