fix(router-core): null prototype input/output objects (#6882)

Author: Sheraff

packages/react-router/tests/navigate.test.tsx

@@ -479,17 +479,26 @@ describe('router.navigate navigation using layout routes resolves correctly', ()
     await router.load()
 
     expect(router.state.location.pathname).toBe('/search')
-    expect(router.state.location.search).toStrictEqual({ 'foo=bar': 2 })
+    expect(router.state.location.search).toStrictEqual(
+      toNullObj({ 'foo=bar': 2 }),
+    )
 
     await router.navigate({
       search: { 'foo=bar': 3 },
     } as any)
     await router.invalidate()
 
-    expect(router.state.location.search).toStrictEqual({ 'foo=bar': 3 })
+    expect(router.state.location.search).toStrictEqual(
+      toNullObj({ 'foo=bar': 3 }),
+    )
   })
 })
 
+function toNullObj<T>(obj: T): T {
+  if (typeof obj === 'object') return Object.assign(Object.create(null), obj)
+  return obj
+}
+
 describe('relative navigation', () => {
   it('should navigate to a child route', async () => {
     const { router } = createTestRouter(

packages/router-core/src/new-process-route-tree.ts

@@ -896,7 +896,7 @@ function extractParams<T extends RouteLike>(
 ): [rawParams: Record<string, string>, state: ParamExtractionState] {
   const list = buildBranch(leaf.node)
   let nodeParts: Array<string> | null = null
-  const rawParams: Record<string, string> = {}
+  const rawParams: Record<string, string> = Object.create(null)
   /** which segment of the path we're currently processing */
   let partIndex = leaf.extract?.part ?? 0
   /** which node of the route tree branch we're currently processing */
@@ -1330,8 +1330,8 @@ function getNodeMatch<T extends RouteLike>(
       sliceIndex += parts[i]!.length
     }
     const splat = sliceIndex === path.length ? '/' : path.slice(sliceIndex)
-    bestFuzzy.rawParams ??= {}
-    bestFuzzy.rawParams['**'] = decodeURIComponent(splat)
+    bestFuzzy.rawParams ??= Object.create(null)
+    bestFuzzy.rawParams!['**'] = decodeURIComponent(splat)
     return bestFuzzy
   }
 
@@ -1348,7 +1348,11 @@ function validateMatchParams<T extends RouteLike>(
     frame.rawParams = rawParams
     frame.extract = state
     const parsed = frame.node.parse!(rawParams)
-    frame.parsedParams = Object.assign({}, frame.parsedParams, parsed)
+    frame.parsedParams = Object.assign(
+      Object.create(null),
+      frame.parsedParams,
+      parsed,
+    )
     return true
   } catch {
     return null

packages/router-core/src/path.ts

@@ -279,7 +279,7 @@ export function interpolatePath({
   // Tracking if any params are missing in the `params` object
   // when interpolating the path
   let isMissingParams = false
-  const usedParams: Record<string, unknown> = {}
+  const usedParams: Record<string, unknown> = Object.create(null)
 
   if (!path || path === '/')
     return { interpolatedPath: '/', usedParams, isMissingParams }

packages/router-core/src/qss.ts

@@ -64,7 +64,7 @@ function toValue(str: unknown) {
 export function decode(str: any): any {
   const searchParams = new URLSearchParams(str)
 
-  const result: Record<string, unknown> = {}
+  const result: Record<string, unknown> = Object.create(null)
 
   for (const [key, value] of searchParams.entries()) {
     const previousValue = result[key]

packages/router-core/src/router.ts

@@ -12,6 +12,7 @@ import {
   functionalUpdate,
   isDangerousProtocol,
   last,
+  nullReplaceEqualDeep,
   replaceEqualDeep,
 } from './utils'
 import {
@@ -1295,7 +1296,7 @@ export class RouterCore<
           pathname: decodePath(pathname).path,
           external: false,
           searchStr,
-          search: replaceEqualDeep(
+          search: nullReplaceEqualDeep(
             previousLocation?.search,
             parsedSearch,
           ) as any,
@@ -1324,7 +1325,10 @@ export class RouterCore<
         pathname: decodePath(url.pathname).path,
         external: !!this.rewrite && url.origin !== this.origin,
         searchStr,
-        search: replaceEqualDeep(previousLocation?.search, parsedSearch) as any,
+        search: nullReplaceEqualDeep(
+          previousLocation?.search,
+          parsedSearch,
+        ) as any,
         hash: decodePath(url.hash.slice(1)).path,
         state: replaceEqualDeep(previousLocation?.state, state),
       }
@@ -1549,8 +1553,8 @@ export class RouterCore<
           params: previousMatch?.params ?? routeParams,
           _strictParams: strictParams,
           search: previousMatch
-            ? replaceEqualDeep(previousMatch.search, preMatchSearch)
-            : replaceEqualDeep(existingMatch.search, preMatchSearch),
+            ? nullReplaceEqualDeep(previousMatch.search, preMatchSearch)
+            : nullReplaceEqualDeep(existingMatch.search, preMatchSearch),
           _strictSearch: strictMatchSearch,
         }
       } else {
@@ -1572,7 +1576,7 @@ export class RouterCore<
           pathname: interpolatedPath,
           updatedAt: Date.now(),
           search: previousMatch
-            ? replaceEqualDeep(previousMatch.search, preMatchSearch)
+            ? nullReplaceEqualDeep(previousMatch.search, preMatchSearch)
             : preMatchSearch,
           _strictSearch: strictMatchSearch,
           searchError: undefined,
@@ -1630,7 +1634,7 @@ export class RouterCore<
       // Update the match's params
       const previousMatch = previousMatchesByRouteId.get(match.routeId)
       match.params = previousMatch
-        ? replaceEqualDeep(previousMatch.params, routeParams)
+        ? nullReplaceEqualDeep(previousMatch.params, routeParams)
         : routeParams
 
       if (!existingMatch) {
@@ -1729,7 +1733,10 @@ export class RouterCore<
       params = lastStateMatch.params
     } else {
       // Parse params through the route chain
-      const strictParams: Record<string, unknown> = { ...routeParams }
+      const strictParams: Record<string, unknown> = Object.assign(
+        Object.create(null),
+        routeParams,
+      )
       for (const route of matchedRoutes) {
         try {
           extractStrictParams(
@@ -1836,7 +1843,10 @@ export class RouterCore<
       // From search should always use the current location
       const fromSearch = lightweightResult.search
       // Same with params. It can't hurt to provide as many as possible
-      const fromParams = { ...lightweightResult.params }
+      const fromParams = Object.assign(
+        Object.create(null),
+        lightweightResult.params,
+      )
 
       // Resolve the next to
       // ensure this includes the basePath if set
@@ -1847,7 +1857,7 @@ export class RouterCore<
       // Resolve the next params
       const nextParams =
         dest.params === false || dest.params === null
-          ? {}
+          ? Object.create(null)
           : (dest.params ?? true) === true
             ? fromParams
             : Object.assign(
@@ -1933,7 +1943,7 @@ export class RouterCore<
       })
 
       // Replace the equal deep
-      nextSearch = replaceEqualDeep(fromSearch, nextSearch)
+      nextSearch = nullReplaceEqualDeep(fromSearch, nextSearch)
 
       // Stringify the next search
       const searchStr = this.options.stringifySearch(nextSearch)
@@ -2013,7 +2023,7 @@ export class RouterCore<
       let maskedNext = maskedDest ? build(maskedDest) : undefined
 
       if (!maskedNext) {
-        const params = {}
+        const params = Object.create(null)
 
         if (this.options.routeMasks) {
           const match = findFlatMatch<RouteMask<TRouteTree>>(
@@ -2032,7 +2042,7 @@ export class RouterCore<
             // Otherwise, use the matched params or the provided params value
             const nextParams =
               maskParams === false || maskParams === null
-                ? {}
+                ? Object.create(null)
                 : (maskParams ?? true) === true
                   ? params
                   : Object.assign(params, functionalUpdate(maskParams, params))
@@ -3013,7 +3023,7 @@ export function getMatchedRoutes<TRouteLike extends RouteLike>({
   routesById: Record<string, TRouteLike>
   processedTree: ProcessedTree<any, any, any>
 }) {
-  const routeParams: Record<string, string> = {}
+  const routeParams: Record<string, string> = Object.create(null)
   const trimmedPath = trimPathRight(pathname)
 
   let foundRoute: TRouteLike | undefined = undefined
@@ -3022,7 +3032,7 @@ export function getMatchedRoutes<TRouteLike extends RouteLike>({
   if (match) {
     foundRoute = match.route
     Object.assign(routeParams, match.rawParams) // Copy params, because they're cached
-    parsedParams = Object.assign({}, match.parsedParams)
+    parsedParams = Object.assign(Object.create(null), match.parsedParams)
   }
 
   const matchedRoutes = match?.branch || [routesById[rootRouteId]!]

packages/router-core/src/utils.ts

@@ -215,13 +215,22 @@ export function functionalUpdate<TPrevious, TResult = TPrevious>(
 const hasOwn = Object.prototype.hasOwnProperty
 const isEnumerable = Object.prototype.propertyIsEnumerable
 
+const createNull = () => Object.create(null)
+export const nullReplaceEqualDeep: typeof replaceEqualDeep = (prev, next) =>
+  replaceEqualDeep(prev, next, createNull)
+
 /**
  * This function returns `prev` if `_next` is deeply equal.
  * If not, it will replace any deeply equal children of `b` with those of `a`.
  * This can be used for structural sharing between immutable JSON values for example.
  * Do not use this with signals
  */
-export function replaceEqualDeep<T>(prev: any, _next: T, _depth = 0): T {
+export function replaceEqualDeep<T>(
+  prev: any,
+  _next: T,
+  _makeObj = () => ({}),
+  _depth = 0,
+): T {
   if (isServer) {
     return _next
   }
@@ -243,7 +252,7 @@ export function replaceEqualDeep<T>(prev: any, _next: T, _depth = 0): T {
   if (!nextItems) return next
   const prevSize = prevItems.length
   const nextSize = nextItems.length
-  const copy: any = array ? new Array(nextSize) : {}
+  const copy: any = array ? new Array(nextSize) : _makeObj()
 
   let equalItems = 0
 
@@ -268,7 +277,7 @@ export function replaceEqualDeep<T>(prev: any, _next: T, _depth = 0): T {
       continue
     }
 
-    const v = replaceEqualDeep(p, n, _depth + 1)
+    const v = replaceEqualDeep(p, n, _makeObj, _depth + 1)
     copy[key] = v
     if (v === p) equalItems++
   }

packages/router-core/tests/load.test.ts

@@ -46,6 +46,34 @@ describe('redirect resolution', () => {
     expect(resolved.headers.get('Location')).toBe('/foo')
     expect(resolved.options.href).toBe('/foo')
   })
+
+  test.each(['/$a', '/$toString', '/$__proto__'])(
+    'server startup redirects initial path %s to /undefined',
+    async (initialPath) => {
+      const rootRoute = new BaseRootRoute({})
+      const slugRoute = new BaseRoute({
+        getParentRoute: () => rootRoute,
+        path: '/$slug',
+      })
+
+      const routeTree = rootRoute.addChildren([slugRoute])
+
+      const router = new RouterCore({
+        routeTree,
+        history: createMemoryHistory({ initialEntries: [initialPath] }),
+        isServer: true,
+      })
+
+      await router.load()
+
+      expect(router.state.redirect).toEqual(
+        expect.objectContaining({
+          options: expect.objectContaining({ href: '/undefined' }),
+        }),
+      )
+      expect(router.state.redirect?.headers.get('Location')).toBe('/undefined')
+    },
+  )
 })
 
 describe('beforeLoad skip or exec', () => {

packages/router-core/tests/optional-path-params.test.ts

@@ -465,7 +465,7 @@ describe('Optional Path Parameters', () => {
       },
     ])('$name', ({ input, matchingOptions, expectedMatchedParams }) => {
       expect(matchPathname(input, matchingOptions)).toStrictEqual(
-        expectedMatchedParams,
+        toNullObj(expectedMatchedParams),
       )
     })
   })
@@ -527,3 +527,8 @@ describe('Optional Path Parameters', () => {
     })
   })
 })
+
+function toNullObj<T>(obj: T): T {
+  if (typeof obj === 'object') return Object.assign(Object.create(null), obj)
+  return obj
+}

packages/router-core/tests/path.test.ts

@@ -736,7 +736,7 @@ describe('matchPathname', () => {
       },
     ])('$name', ({ input, matchingOptions, expectedMatchedParams }) => {
       expect(matchPathname(input, matchingOptions)).toStrictEqual(
-        expectedMatchedParams,
+        toNullObj(expectedMatchedParams),
       )
     })
   })
@@ -800,7 +800,7 @@ describe('matchPathname', () => {
       },
     ])('$name', ({ input, matchingOptions, expectedMatchedParams }) => {
       expect(matchPathname(input, matchingOptions)).toStrictEqual(
-        expectedMatchedParams,
+        toNullObj(expectedMatchedParams),
       )
     })
   })
@@ -879,7 +879,7 @@ describe('matchPathname', () => {
       },
     ])('$name', ({ input, matchingOptions, expectedMatchedParams }) => {
       expect(matchPathname(input, matchingOptions)).toStrictEqual(
-        expectedMatchedParams,
+        toNullObj(expectedMatchedParams),
       )
     })
   })
@@ -1217,3 +1217,8 @@ describe('parsePathname', () => {
     })
   })
 })
+
+function toNullObj<T>(obj: T): T {
+  if (typeof obj === 'object') return Object.assign(Object.create(null), obj)
+  return obj
+}

packages/solid-router/tests/navigate.test.tsx

@@ -480,17 +480,26 @@ describe('router.navigate navigation using layout routes resolves correctly', ()
     await router.load()
 
     expect(router.state.location.pathname).toBe('/search')
-    expect(router.state.location.search).toStrictEqual({ 'foo=bar': 2 })
+    expect(router.state.location.search).toStrictEqual(
+      toNullObj({ 'foo=bar': 2 }),
+    )
 
     await router.navigate({
       search: { 'foo=bar': 3 },
     } as any)
     await router.invalidate()
 
-    expect(router.state.location.search).toStrictEqual({ 'foo=bar': 3 })
+    expect(router.state.location.search).toStrictEqual(
+      toNullObj({ 'foo=bar': 3 }),
+    )
   })
 })
 
+function toNullObj<T>(obj: T): T {
+  if (typeof obj === 'object') return Object.assign(Object.create(null), obj)
+  return obj
+}
+
 describe('relative navigation', () => {
   it('should navigate to a child route', async () => {
     const { router } = createTestRouter(