Prevents prototype manipulation in the separateExposeGlobals function. The supplied shims are parsed from JSON and could in theory contain a __proto__ key. It is not clear that this is even exploitable to manipulate the any behavior of exposeGlobals, let alone the global object prototype.
Nevertheless, out of an abundance of caution, this forbids passing __proto__ or constructor as shims.
Prevents prototype manipulation in the
separateExposeGlobalsfunction. The suppliedshimsare parsed from JSON and could in theory contain a__proto__key. It is not clear that this is even exploitable to manipulate the any behavior ofexposeGlobals, let alone the global object prototype.Nevertheless, out of an abundance of caution, this forbids passing
__proto__orconstructoras shims.Closes #245