fix: use hasOwnProperty instead of 'in' operator in assignOrPush

[abhu85]

Summary

• Fix prototype chain traversal vulnerability in assignOrPush method
• Add regression tests for XML tags named after Object.prototype methods
• This is a security fix - bypass of CVE-2023-0842

Problem

The assignOrPush method uses the JavaScript in operator to check if a key exists:

if (!(key in obj)) { ... }

The in operator traverses the prototype chain, which means tags named after inherited Object.prototype methods (<toString>, <valueOf>, <constructor>, <hasOwnProperty>, etc.) are incorrectly treated as pre-existing properties.

This causes inherited functions to be mixed with user data in arrays, breaking the parsed object and causing TypeError crashes:

const xml2js = require('xml2js');
xml2js.parseString('<root><toString>x</toString></root>', (err, result) => {
    console.log(result.root.toString); // [ [Function: toString], 'x' ]
    console.log(result.root.toString.join(', ')); // TypeError!
});

Note: This is NOT a duplicate of CVE-2023-0842. That fix correctly prevents prototype pollution when writing properties via defineProperty. This vulnerability is in the reading/checking of property existence via the in operator.

Solution

Replace key not of obj (CoffeeScript in operator) with Object::hasOwnProperty.call obj, key to only check own properties, not inherited ones.

Test Plan

• Added regression tests for toString, valueOf, constructor, hasOwnProperty tag names
• Added test for multiple same-named prototype tags
• All 69 existing tests pass
• Manual verification with PoC from issue Security: Inherited Property Confusion in assignOrPush causes DoS (bypass of CVE-2023-0842 fix) #719

Compatibility

• No breaking API changes
• Backwards compatible - previously broken XML now parses correctly
• No new dependencies

Fixes #719

🤖 Generated with Claude Code