Fix prototype-polluting assignment in ra-data-localstorage

fzaninotto · github-advanced-security[bot] · web-flow · commit 3d3e6c0ca5b8 · 2025-05-27T11:20:05.000+02:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/packages/ra-data-local-storage/src/index.ts b/packages/ra-data-local-storage/src/index.ts
@@ -110,6 +110,9 @@ export default (params?: LocalStorageDataProviderParams): DataProvider => {
             return baseDataProvider.update<RecordType>(resource, params);
         },
         updateMany: (resource, params) => {
+            if (['__proto__', 'constructor', 'prototype'].includes(resource)) {
+                throw new Error(`Invalid resource key: ${resource}`);
+            }
             updateLocalStorage(() => {
                 params.ids.forEach(id => {
                     const index = data[resource]?.findIndex(
@@ -141,6 +144,9 @@ export default (params?: LocalStorageDataProviderParams): DataProvider => {
                 });
         },
         delete: <RecordType extends RaRecord = any>(resource, params) => {
+            if (['__proto__', 'constructor', 'prototype'].includes(resource)) {
+                throw new Error(`Invalid resource key: ${resource}`);
+            }
             updateLocalStorage(() => {
                 const index = data[resource]?.findIndex(
                     record => record.id == params.id
@@ -150,6 +156,9 @@ export default (params?: LocalStorageDataProviderParams): DataProvider => {
             return baseDataProvider.delete<RecordType>(resource, params);
         },
         deleteMany: (resource, params) => {
+            if (['__proto__', 'constructor', 'prototype'].includes(resource)) {
+                throw new Error(`Invalid resource key: ${resource}`);
+            }
             updateLocalStorage(() => {
                 const indexes = params.ids.map(id =>
                     data[resource]?.findIndex(record => record.id == id)
