Fix prototype pollution in applyMergePatch via blocked key filter

applyMergePatch in merge-patch.ts iterates Object.entries(patch) without filtering dangerous keys. When a caller passes a JSON-parsed object with a "__proto__" key, the loop assigns result["__proto__"] = value, which replaces the prototype of result and pollutes Object.prototype for the entire process. Add a BLOCKED_KEYS set ({"__proto__", "constructor", "prototype"}) and skip those keys during iteration, matching the guard already present in deepMerge (includes.ts) via isBlockedObjectKey. Adds four tests covering __proto__, constructor, prototype, and nested __proto__ injection. Co-authored-by: Clawborn <tianrun.yang103@gmail.com>
2026-05-06 21:31:35 +00:00 · 2026-02-22 05:42:22 +08:00
parent 780bbbd062
commit e23c08b5f4
2 changed files with 46 additions and 0 deletions
--- a/src/config/merge-patch.ts
+++ b/src/config/merge-patch.ts
@@ -2,6 +2,9 @@ import { isPlainObject } from "../utils.js";

 type PlainObject = Record<string, unknown>;

+/** Keys that must never be merged to prevent prototype-pollution attacks. */
+const BLOCKED_KEYS = new Set(["__proto__", "constructor", "prototype"]);
+
 type MergePatchOptions = {
  mergeObjectArraysById?: boolean;
 };
@@ -70,6 +73,9 @@ export function applyMergePatch(
  const result: PlainObject = isPlainObject(base) ? { ...base } : {};

  for (const [key, value] of Object.entries(patch)) {
+    if (BLOCKED_KEYS.has(key)) {
+      continue;
+    }
    if (value === null) {
      delete result[key];
      continue;