node-cache - fix: prototype pollution vulnerability in mget methods

[jaredwray]

Please check if the PR fulfills these requirements

• Followed the Contributing guidelines and Code of Conduct
• Tests for the changes have been added (for bug fixes/features) with 100% code coverage.

What kind of change does this PR introduce?

Bug fix - Security

Description

This PR fixes a prototype pollution vulnerability in the mget methods of both NodeCache and NodeCacheStore classes. The vulnerability occurred because the result object was created using object literal syntax ({}), which inherits from Object.prototype. When a key named __proto__ was stored and retrieved, it could pollute the prototype chain.

Changes

• Modified NodeCache.mget() to create the result object using Object.create(null) instead of {}
• Modified NodeCacheStore.mget() to create the result object using Object.create(null) instead of {}
• Added comprehensive tests in both test suites to verify that storing and retrieving __proto__ keys does not pollute Object.prototype

The Object.create(null) approach creates an object with no prototype chain, preventing any possibility of prototype pollution while maintaining the same functional behavior for legitimate use cases.

Test Plan

Added unit tests that verify:

1. The __proto__ key can be stored and retrieved normally
2. Object.prototype remains unpolluted after operations with __proto__ keys
3. The returned object correctly contains the __proto__ property without affecting the global prototype

All existing tests continue to pass with this change.

https://claude.ai/code/session_01MhMFGu517ERhcLM4M5DsM8

[gemini-code-assist]

Code Review

This pull request addresses potential prototype pollution vulnerabilities in the mget methods of NodeCache and NodeCacheStore by initializing result objects with Object.create(null). It also introduces test cases to verify that proto keys do not affect the global object prototype. Review feedback suggests removing redundant type assertions for better code clarity and using bracket notation instead of dot notation for proto property access in tests to adhere to standard practices.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bd9ce08c01

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (487d6ff) to head (49adf8f).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##              main     #1613   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           26        26           
  Lines         2485      2485           
  Branches       554       555    +1     
=========================================
  Hits          2485      2485           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.