github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 02:32:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden config prototype-key guards (#22968) (thanks @Clawborn)

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-22 00:24:54 +01:00
parent e23c08b5f4
commit 95dab6e019
5 changed files with 30 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/config/legacy.shared.test.ts Normal file
View File

@@ -0,0 +1,23 @@
import { afterEach, describe, expect, it } from "vitest";
import { mergeMissing } from "./legacy.shared.js";
describe("mergeMissing prototype pollution guard", () => {
afterEach(() => {
delete (Object.prototype as Record<string, unknown>).polluted;
});
it("ignores __proto__ keys without polluting Object.prototype", () => {
const target = { safe: { keep: true } } as Record<string, unknown>;
const source = JSON.parse('{"safe":{"next":1},"__proto__":{"polluted":true}}') as Record<
string,
unknown
>;
mergeMissing(target, source);
expect((target.safe as Record<string, unknown>).keep).toBe(true);
expect((target.safe as Record<string, unknown>).next).toBe(1);
expect(target.polluted).toBeUndefined();
expect((Object.prototype as Record<string, unknown>).polluted).toBeUndefined();
});
});