From 648cc5bcddbcfa9a59ad5776a9bd2dd800867556 Mon Sep 17 00:00:00 2001
From: Nicolas DUBIEN <github@dubien.org>
Date: Fri, 31 Mar 2023 16:41:42 +0000
Subject: [PATCH] Accept any header name (inc. `__proto__`)

---
 papaparse.js              |  4 ++--
 tests/node-tests.js       | 11 +++++++++++
 tests/poisoned-sample.csv |  2 ++
 3 files changed, 15 insertions(+), 2 deletions(-)
 create mode 100644 tests/poisoned-sample.csv

diff --git a/papaparse.js b/papaparse.js
index 6495e7d8..d35c6a8f 100755
--- a/papaparse.js
+++ b/papaparse.js
@@ -1247,7 +1247,7 @@ License: MIT
 
 			function processRow(rowSource, i)
 			{
-				var row = _config.header ? {} : [];
+				var row = _config.header ? Object.create(null) : [];
 
 				var j;
 				for (j = 0; j < rowSource.length; j++)
@@ -1473,7 +1473,7 @@ License: MIT
 				var headers = firstLine.split(delim);
 				var separator = '_';
 				var headerMap = new Set();
-				var headerCount = {};
+				var headerCount = Object.create(null);
 				var duplicateHeaders = false;
 
 				for (var j in headers) {
diff --git a/tests/node-tests.js b/tests/node-tests.js
index 6d012ec8..0acca8c3 100644
--- a/tests/node-tests.js
+++ b/tests/node-tests.js
@@ -5,6 +5,7 @@ var Papa = require("../papaparse.js");
 var fs = require('fs');
 var assert = require('assert');
 var longSampleRawCsv = fs.readFileSync(__dirname + '/long-sample.csv', 'utf8');
+var poisonedSampleRawCsv = fs.readFileSync(__dirname + '/poisoned-sample.csv', 'utf8');
 var utf8BomSampleRawCsv = fs.readFileSync(__dirname + '/utf-8-bom-sample.csv', 'utf8');
 
 function assertLongSampleParsedCorrectly(parsedCsv) {
@@ -298,4 +299,14 @@ describe('PapaParse', function() {
 			}
 		});
 	});
+
+	it('handles poisoned headers', function(done) {
+		Papa.parse(poisonedSampleRawCsv, {
+			header: true,
+			complete: function(parsedCsv) {
+				assert.deepEqual(parsedCsv.data[0], { ['__proto__']: 'X', toString: 'Y', valueOf: 'Z', __proto___1: 'A' });
+				done();
+			}
+		});
+	});
 });
diff --git a/tests/poisoned-sample.csv b/tests/poisoned-sample.csv
new file mode 100644
index 00000000..55ee5c39
--- /dev/null
+++ b/tests/poisoned-sample.csv
@@ -0,0 +1,2 @@
+__proto__,toString,valueOf,__proto__
+X,Y,Z,A