better fix

mrgrain · mrgrain · commit f34c60d06744 · 2025-03-14T12:06:17.000Z
diff --git a/packages/@aws-cdk/tmp-toolkit-helpers/src/util/objects.ts b/packages/@aws-cdk/tmp-toolkit-helpers/src/util/objects.ts
@@ -103,9 +103,11 @@ export function deepSet(x: any, path: string[], value: any) {
 
   while (path.length > 1 && isObject(x)) {
     const key = path.shift()!;
-    if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
-      throw new ToolkitError(`Invalid key: ${key}`);
+
+    if (isPrototypePollutingKey(key)) {
+      continue;
     }
+
     if (!(key in x)) {
       x[key] = {};
     }
@@ -117,8 +119,9 @@ export function deepSet(x: any, path: string[], value: any) {
   }
 
   const finalKey = path[0];
-  if (finalKey === '__proto__' || finalKey === 'constructor' || finalKey === 'prototype') {
-    throw new ToolkitError(`Invalid key: ${finalKey}`);
+
+  if (isPrototypePollutingKey(finalKey)) {
+    return;
   }
 
   if (value !== undefined) {
@@ -128,6 +131,16 @@ export function deepSet(x: any, path: string[], value: any) {
   }
 }
 
+/**
+ * Helper to detect prototype polluting keys
+ *
+ * A key matching this, MUST NOT be used in an assignment.
+ * Use this to check user-input.
+ */
+function isPrototypePollutingKey(key: string) {
+  return key === '__proto__' || key === 'constructor' || key === 'prototype';
+}
+
 /**
  * Recursively merge objects together
  *
@@ -139,7 +152,7 @@ export function deepSet(x: any, path: string[], value: any) {
 export function deepMerge(...objects: Array<Obj<any> | undefined>) {
   function mergeOne(target: Obj<any>, source: Obj<any>) {
     for (const key of Object.keys(source)) {
-      if (key === '__proto__' || key === 'constructor') {
+      if (isPrototypePollutingKey(key)) {
         continue;
       }
 

Original file line number	Diff line number	Diff line change
`@@ -103,9 +103,11 @@ export function deepSet(x: any, path: string[], value: any) {`
`103`	`103`
`104`	`104`	`while (path.length > 1 && isObject(x)) {`
`105`	`105`	`const key = path.shift()!;`
`106`		`- if (key === '__proto__' \|\| key === 'constructor' \|\| key === 'prototype') {`
`107`		- throw new ToolkitError(`Invalid key: ${key}`);
	`106`	`+`
	`107`	`+ if (isPrototypePollutingKey(key)) {`
	`108`	`+ continue;`
`108`	`109`	`}`
	`110`	`+`
`109`	`111`	`if (!(key in x)) {`
`110`	`112`	`x[key] = {};`
`111`	`113`	`}`
`@@ -117,8 +119,9 @@ export function deepSet(x: any, path: string[], value: any) {`
`117`	`119`	`}`
`118`	`120`
`119`	`121`	`const finalKey = path[0];`
`120`		`- if (finalKey === '__proto__' \|\| finalKey === 'constructor' \|\| finalKey === 'prototype') {`
`121`		- throw new ToolkitError(`Invalid key: ${finalKey}`);
	`122`	`+`
	`123`	`+ if (isPrototypePollutingKey(finalKey)) {`
	`124`	`+ return;`
`122`	`125`	`}`
`123`	`126`
`124`	`127`	`if (value !== undefined) {`
`@@ -128,6 +131,16 @@ export function deepSet(x: any, path: string[], value: any) {`
`128`	`131`	`}`
`129`	`132`	`}`
`130`	`133`
	`134`	`+/**`
	`135`	`+ * Helper to detect prototype polluting keys`
	`136`	`+ *`
	`137`	`+ * A key matching this, MUST NOT be used in an assignment.`
	`138`	`+ * Use this to check user-input.`
	`139`	`+ */`
	`140`	`+function isPrototypePollutingKey(key: string) {`
	`141`	`+ return key === '__proto__' \|\| key === 'constructor' \|\| key === 'prototype';`
	`142`	`+}`
	`143`	`+`
`131`	`144`	`/**`
`132`	`145`	`* Recursively merge objects together`
`133`	`146`	`*`
`@@ -139,7 +152,7 @@ export function deepSet(x: any, path: string[], value: any) {`
`139`	`152`	`export function deepMerge(...objects: Array<Obj<any> \| undefined>) {`
`140`	`153`	`function mergeOne(target: Obj<any>, source: Obj<any>) {`
`141`	`154`	`for (const key of Object.keys(source)) {`
`142`		`- if (key === '__proto__' \|\| key === 'constructor') {`
	`155`	`+ if (isPrototypePollutingKey(key)) {`
`143`	`156`	`continue;`
`144`	`157`	`}`
`145`	`158`