Skip to content

🐛 Prevent prototype pollution in amp-analytics mergeObjects#40522

Open
madib06ops wants to merge 1 commit into
ampproject:mainfrom
madib06ops:amp-analytics-proto-pollution
Open

🐛 Prevent prototype pollution in amp-analytics mergeObjects#40522
madib06ops wants to merge 1 commit into
ampproject:mainfrom
madib06ops:amp-analytics-proto-pollution

Conversation

@madib06ops

Copy link
Copy Markdown

mergeObjects merges a remote analytics config fetched via res.json() (and the inline config) into the page config, but it never skips the __proto__ key. A config endpoint returning {"__proto__": {...}} makes the recursive merge read to['__proto__'], which resolves to Object.prototype, and the following assignments pollute it for every object on the page. Skip __proto__, constructor and prototype inside the merge loop so untrusted config can't reach the prototype chain. Added a regression test under the existing mergeObjects block.

@CLAassistant

CLAassistant commented Jul 3, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants