Skip to content

fix(common): prevent prototype pollution in formatDateTime#69013

Open
arturovt wants to merge 1 commit into
angular:mainfrom
arturovt:fix/common_formatDateTime_pollution
Open

fix(common): prevent prototype pollution in formatDateTime#69013
arturovt wants to merge 1 commit into
angular:mainfrom
arturovt:fix/common_formatDateTime_pollution

Conversation

@arturovt
Copy link
Copy Markdown
Contributor

@arturovt arturovt commented May 29, 2026
edited
Loading

Replace in operator with Object.hasOwn in
formatDateTime to prevent prototype pollution attacks.

The in operator traverses the prototype chain, meaning a polluted
Object.prototype key could be picked up as a valid replacement value.
This is especially critical in SSR environments where a single
prototype pollution attack persists across all subsequent requests in
the shared Node.js process, potentially injecting malicious content
into every user's rendered HTML.

Using Object.hasOwn restricts the lookup to
own properties only, blocking prototype chain traversal.

@pullapprove pullapprove Bot requested a review from atscott May 29, 2026 11:32
@angular-robot angular-robot Bot added the area: common Issues related to APIs in the @angular/common package label May 29, 2026
@ngbot ngbot Bot added this to the Backlog milestone May 29, 2026
@JeanMeche
Copy link
Copy Markdown
Member

JeanMeche commented May 29, 2026

Object.hasOwn is baseline widely available, we are allowed to use it.

@arturovt
fix(common): prevent prototype pollution in formatDateTime
c889053 
Replace `in` operator with `Object.hasOwn` in
formatDateTime to prevent prototype pollution attacks.

The `in` operator traverses the prototype chain, meaning a polluted
Object.prototype key could be picked up as a valid replacement value.
This is especially critical in SSR environments where a single
prototype pollution attack persists across all subsequent requests in
the shared Node.js process, potentially injecting malicious content
into every user's rendered HTML.

Using `Object.hasOwn` restricts the lookup to
own properties only, blocking prototype chain traversal.
@arturovt arturovt force-pushed the fix/common_formatDateTime_pollution branch from 47feb3e to c889053 Compare May 29, 2026 12:56
@arturovt
Copy link
Copy Markdown
Contributor Author

arturovt commented May 29, 2026

Object.hasOwn is baseline widely available, we are allowed to use it.

Updated

@atscott atscott added the target: rc This PR is targeted for the next release-candidate label May 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JeanMeche JeanMeche JeanMeche approved these changes

@atscott atscott Awaiting requested review from atscott

Assignees

No one assigned

Labels

area: common Issues related to APIs in the @angular/common package target: rc This PR is targeted for the next release-candidate

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

3 participants

@arturovt @JeanMeche @atscott