fix: prevent prototype pollution (#41)

mesqueeb · mesqueeb · commit fd1a9e20a4b7 · 2025-03-25T06:43:37.000+13:00
diff --git a/src/merge.ts b/src/merge.ts
@@ -50,6 +50,8 @@ function mergeRecursively<T1, T2>(
     const symbols = Object.getOwnPropertySymbols(origin)
     newObject = [...props, ...symbols].reduce(
       (carry, key) => {
+        // Skip __proto__ properties to prevent prototype poisoning
+        if (key === '__proto__') return carry
         const targetVal = origin[key as string]
         if (
           (!isSymbol(key) && !Object.getOwnPropertyNames(newComer).includes(key)) ||
@@ -71,6 +73,8 @@ function mergeRecursively<T1, T2>(
   const props = Object.getOwnPropertyNames(newComer)
   const symbols = Object.getOwnPropertySymbols(newComer)
   const result = [...props, ...symbols].reduce((carry, key) => {
+    // Skip __proto__ properties to prevent prototype poisoning
+    if (key === '__proto__') return carry
     // re-define the origin and newComer as targetVal and newVal
     let newVal = newComer[key as string]
     const targetVal = isPlainObject(origin) ? origin[key as string] : undefined
@@ -91,9 +95,8 @@ function mergeRecursively<T1, T2>(
 }
 
 /**
- * Merge anything recursively.
- * Objects get merged, special objects (classes etc.) are re-assigned "as is".
- * Basic types overwrite objects or other basic types.
+ * Merge anything recursively. Objects get merged, special objects (classes etc.) are re-assigned
+ * "as is". Basic types overwrite objects or other basic types.
  */
 export function merge<T, const Tn extends unknown[]>(object: T, ...otherObjects: Tn): Merge<T, Tn> {
   return otherObjects.reduce((result, newComer) => {
diff --git a/test/index.test.ts b/test/index.test.ts
@@ -1,5 +1,5 @@
-import { test, expect } from 'vitest'
 import { isDate } from 'is-what'
+import { expect, test } from 'vitest'
 import { merge } from '../src/index'
 
 function copy<T>(any: T): T {
@@ -297,3 +297,33 @@ test('readme', () => {
     is: 'cool',
   })
 })
+
+test('prototype pollution', () => {
+  // Test object with default permissions
+  const defaultPermissions = {
+    read: true,
+    write: false,
+    delete: false,
+  }
+
+  // Attempt prototype pollution through __proto__
+  const maliciousPayload = JSON.parse('{"__proto__": { "isAdmin": true }}')
+  const mergedPermissions = merge({}, defaultPermissions, maliciousPayload)
+
+  // Verify that prototype pollution was prevented
+  expect(mergedPermissions.isAdmin).toBeUndefined()
+  expect(Object.getPrototypeOf(mergedPermissions)).toBe(Object.prototype)
+
+  // Test with constructor and prototype properties
+  const maliciousPayload2 = {
+    constructor: { prototype: { isAdmin: true } },
+  }
+  const mergedPermissions2 = merge({}, defaultPermissions, maliciousPayload2)
+  expect((mergedPermissions2 as any).isAdmin).toBeUndefined()
+  expect(Object.getPrototypeOf(mergedPermissions2)).toBe(Object.prototype)
+
+  // Verify original properties are still intact
+  expect(mergedPermissions.read).toBe(true)
+  expect(mergedPermissions.write).toBe(false)
+  expect(mergedPermissions.delete).toBe(false)
+})
