Merge commit from fork

Author: danez

lib/constants.js

@@ -69,6 +69,7 @@ const WINDOWS_CHARS = {
  */
 
 const POSIX_REGEX_SOURCE = {
+  __proto__: null,
   alnum: 'a-zA-Z0-9',
   alpha: 'a-zA-Z',
   ascii: '\\x00-\\x7F',

test/malicious.js

@@ -1,7 +1,7 @@
 'use strict';
 
 const assert = require('assert');
-const { isMatch } = require('..');
+const { isMatch, makeRe } = require('..');
 const repeat = n => '\\'.repeat(n);
 
 /**
@@ -30,9 +30,16 @@ describe('handling of potential regex exploits', () => {
       assert(!isMatch('A', `!(${repeat(500)}A)`, { maxLength: 499 }));
     }, /Input length: 504, exceeds maximum allowed length: 499/);
   });
+
   it('should be able to accept Object instance properties', () => {
     assert(isMatch('constructor', 'constructor'), 'valid match');
     assert(isMatch('__proto__', '__proto__'), 'valid match');
     assert(isMatch('toString', 'toString'), 'valid match');
   });
+
+  it('should not expose internal prototype properties', () => {
+    assert.equal(makeRe('[[:constructor:]]').toString(), '/^(?:[[:constructor:]\\])$/');
+    assert(!isMatch('f }]', '[[:constructor:]]'), 'not valid match');
+    assert(!isMatch('a }]', '[[:constructor:]]'),  'not valid match');
+  });
 });