fix: harden config prototype-key guards (#22968) (thanks @Clawborn)

2026-05-07 09:31:25 +00:00 · 2026-02-22 00:24:54 +01:00
parent e23c08b5f4
commit 95dab6e019
5 changed files with 30 additions and 5 deletions
--- a/src/config/merge-patch.ts
+++ b/src/config/merge-patch.ts
@@ -1,10 +1,8 @@
 import { isPlainObject } from "../utils.js";
+import { isBlockedObjectKey } from "./prototype-keys.js";

 type PlainObject = Record<string, unknown>;

-/** Keys that must never be merged to prevent prototype-pollution attacks. */
-const BLOCKED_KEYS = new Set(["__proto__", "constructor", "prototype"]);
-
 type MergePatchOptions = {
  mergeObjectArraysById?: boolean;
 };
@@ -73,7 +71,7 @@ export function applyMergePatch(
  const result: PlainObject = isPlainObject(base) ? { ...base } : {};

  for (const [key, value] of Object.entries(patch)) {
-    if (BLOCKED_KEYS.has(key)) {
+    if (isBlockedObjectKey(key)) {
      continue;
    }
    if (value === null) {