Skip to content

🐛 [VULN-81506] fix prototype pollution via mergeInto and tryJsonParse#4820

Merged
bcaudan merged 3 commits into
mainfrom
bcaudan/proto-pollution
Jun 22, 2026
Merged

🐛 [VULN-81506] fix prototype pollution via mergeInto and tryJsonParse#4820
bcaudan merged 3 commits into
mainfrom
bcaudan/proto-pollution

Conversation

@bcaudan

@bcaudan bcaudan commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Motivation

mergeInto performed a recursive deep merge without guarding against __proto__, making it possible for external input to corrupt Object.prototype.

Changes

  • Make mergeInto safe against prototype pollution by skipping __proto__ during recursive merge
  • Ensure tryJsonParse never returns objects carrying __proto__ as an own property
  • Harden storeContextManager and remoteConfigurationCache against malformed or untrusted localStorage data

Behavioral changes

mergeInto (and combine, deepClone) now silently drops the __proto__ key. tryJsonParse strips it from parsed JSON.

Test instructions

yarn test:unit

Checklist

  • Tested locally
  • Tested on staging
  • Added unit tests for this change.
  • Added e2e/integration tests for this change.
  • Updated documentation and/or relevant AGENTS.md file

@datadog-official

datadog-official Bot commented Jun 22, 2026
edited by datadog-prod-us1-5 Bot
Loading

Copy link
Copy Markdown

Tests

🎉 All green!

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
Patch Coverage: 33.33%
Overall Coverage: 76.85% (-0.03%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 6291b50 | Docs | Datadog PR Page | Give us feedback!

@cit-pr-commenter-54b7da

cit-pr-commenter-54b7da Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

Bundles Sizes Evolution

📦 Bundle Name Base Size Local Size 𝚫 𝚫% Status
Rum 172.46 KiB 172.53 KiB +62 B +0.04%
Rum Profiler 8.22 KiB 8.22 KiB 0 B 0.00%
Rum Recorder 21.09 KiB 21.09 KiB 0 B 0.00%
Logs 54.47 KiB 54.57 KiB +100 B +0.18%
Rum Slim 129.97 KiB 130.02 KiB +49 B +0.04%
Worker 22.96 KiB 22.96 KiB 0 B 0.00%

@bcaudan bcaudan changed the title 🔒 [VULN-81506] fix prototype pollution via mergeInto and tryJsonParse 🐛 [VULN-81506] fix prototype pollution via mergeInto and tryJsonParse Jun 22, 2026
@bcaudan

bcaudan commented Jun 22, 2026

Copy link
Copy Markdown
Collaborator Author

@codex review

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 22, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 755693fc1b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread packages/js-core/src/util/mergeInto.ts Outdated
Comment thread packages/browser-core/src/tools/utils/objectUtils.ts Outdated
bcaudan added 3 commits June 22, 2026 11:38
@bcaudan
🔒 Block dangerous keys in mergeInto to prevent prototype pollution
24d60a3 
Skips __proto__, constructor, and prototype keys during recursive merge
to prevent Object.prototype corruption via attacker-controlled input.
@bcaudan
🔒 Strip dangerous keys in tryJsonParse to prevent prototype pollution
114685e 
Adds a JSON reviver that drops __proto__, constructor, and prototype
keys at parse time — defense in depth for external cookie/JSON input.
@bcaudan
♻️ use tryJsonParse to avoid similar patterns
6291b50
@bcaudan bcaudan force-pushed the bcaudan/proto-pollution branch from 755693f to 6291b50 Compare June 22, 2026 09:38
@DataDog DataDog deleted a comment from chatgpt-codex-connector Bot Jun 22, 2026
@bcaudan

bcaudan commented Jun 22, 2026

Copy link
Copy Markdown
Collaborator Author

@codex review

@chatgpt-codex-connector

chatgpt-codex-connector Bot commented Jun 22, 2026

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Hooray!

Reviewed commit: 6291b50753

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@bcaudan bcaudan marked this pull request as ready for review June 22, 2026 09:56
@bcaudan bcaudan requested a review from a team as a code owner June 22, 2026 09:56
@bcaudan bcaudan merged commit e387e04 into main Jun 22, 2026
33 checks passed
@bcaudan bcaudan deleted the bcaudan/proto-pollution branch June 22, 2026 11:52
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 22, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@BenoitZugmeyer BenoitZugmeyer BenoitZugmeyer approved these changes

@thomas-lebeau thomas-lebeau thomas-lebeau approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bcaudan @BenoitZugmeyer @thomas-lebeau