Robustness: rework isConstructorOrProto

[shadowspawn]

The isConstructorOrProto fix does not look right for the v0.2.x branch. I looked at various commits and suspect the back port of the fix itself went somewhat awry. This PR makes the code match the mainline.

Here are the relevant lines of code from the main branch and from the original commit and adapted commit adding isConstructorOrProto.

Main line

• https://github.com/minimistjs/minimist/blob/6901ee286bc4c16da6830b48b46ce1574703cea1/index.js#L19-L21
• https://github.com/minimistjs/minimist/blob/6901ee286bc4c16da6830b48b46ce1574703cea1/index.js#L85
• https://github.com/minimistjs/minimist/blob/6901ee286bc4c16da6830b48b46ce1574703cea1/index.js#L99

Original change

• https://github.com/minimistjs/minimist/blob/c2b981977fa834b223b408cfb860f933c9811e4d/index.js#L247-L249
• https://github.com/minimistjs/minimist/blob/c2b981977fa834b223b408cfb860f933c9811e4d/index.js#L73
• https://github.com/minimistjs/minimist/blob/c2b981977fa834b223b408cfb860f933c9811e4d/index.js#L82

Adapted change (suspect)

• https://github.com/minimistjs/minimist/blob/ef9153fc52b6cea0744b2239921c5dcae4697f11/index.js#L9-L11
• https://github.com/minimistjs/minimist/blob/ef9153fc52b6cea0744b2239921c5dcae4697f11/index.js#L28-L30
• https://github.com/minimistjs/minimist/blob/ef9153fc52b6cea0744b2239921c5dcae4697f11/index.js#L44

[codecov-commenter]

Codecov Report

Merging #24 (3dbebff) into v0.2.x (c0b2661) will not change coverage. The diff coverage is 100.00%.

:mega: This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@           Coverage Diff           @@
##           v0.2.x      #24   +/-   ##
=======================================
  Coverage   98.55%   98.55%           
=======================================
  Files           1        1           
  Lines         138      138           
  Branches       60       60           
=======================================
  Hits          136      136           
  Misses          2        2           

Impacted Files	Coverage Δ
index.js	98.55% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[shadowspawn]

I'll look at adding tests for constructor, and the last key. (It took me a while to untangle the code, but I hopefully learnt enough on the way to write the tests now!)

[shadowspawn]

There are separate checks against the leading keys in a dotted option name than against the last key. If the checks for __proto__ or constructor are wrong in the checks of the last key then it won't lead to prototype pollution as such, but will lead to less consistent behaviour between --a.constructor.prototype.b and --a.constructor.

The pollution checks on the v0.2.x branch missed the constructor check on the last key in the dotted option name. So again this does not allow prototype pollution, but does mean there is different behaviour between the main branch and the v0.2.x branch.

This PR adds a test which fails if the constructor check is missing for the last key. (And a matching test for __proto__.)

The tests were run against the previous code in #25 to show the failure.

[shadowspawn]

To be clear, after testing I do not think this PR is a security fix. Just a tidy-up to make the dotted option key handling more consistent.