Skip to content

[utils] Prevent prototype pollution in fastDeepAssign#48580

Merged
Janpot merged 1 commit into
mui:masterfrom
Janpot:fix/fastdeepassign-proto-pollution
May 27, 2026
Merged

[utils] Prevent prototype pollution in fastDeepAssign#48580
Janpot merged 1 commit into
mui:masterfrom
Janpot:fix/fastdeepassign-proto-pollution

Conversation

@Janpot
Copy link
Copy Markdown
Member

@Janpot Janpot commented May 27, 2026

Summary

Closes the prototype-pollution code-scanning alert against fastDeepAssign. JSON.parse creates a literal __proto__ own property without triggering the prototype setter; for (const key in source) then enumerates that key and target[key] = ... triggers the setter on Object.prototype, polluting the global prototype.

unstable_fastDeepAssign is exported from @mui/utils and used by @mui/system for sx/compose/breakpoints, where the source object can be application-provided at runtime — so this is reachable from real consumer code, not just tests.

The fix skips __proto__, constructor, and prototype in both mergeObject and cloneObject. Same pattern used by reputable deepmerge implementations.

@code-infra-dashboard
Copy link
Copy Markdown

code-infra-dashboard Bot commented May 27, 2026
edited
Loading

Deploy preview

https://deploy-preview-48580--material-ui.netlify.app/

Bundle size

Bundle Parsed size Gzip size
@mui/material 🔺+110B(+0.02%) 🔺+33B(+0.02%)
@mui/lab 🔺+110B(+0.32%) 🔺+32B(+0.36%)
@mui/private-theming 0B(0.00%) 0B(0.00%)
@mui/system 🔺+110B(+0.16%) 🔺+26B(+0.11%)
@mui/utils 🔺+110B(+0.72%) 🔺+30B(+0.51%)

Details of bundle changes

Check out the code infra dashboard for more information about this PR.

@Janpot
[utils] Prevent prototype pollution in fastDeepAssign
a806ff5 
JSON.parse creates a literal `__proto__` own property without triggering
the prototype setter. `for (const key in source)` enumerates that key, and
`target[key] = ...` then triggers the setter on Object.prototype, polluting
the global prototype. This affects every consumer of `unstable_fastDeepAssign`
(the merge used by `sx`, `compose`, and `breakpoints` in `@mui/system`),
where the source object can be application-provided at runtime.

Skip `__proto__`, `constructor`, and `prototype` in `mergeObject` and
`cloneObject`. Adds regression tests.
@Janpot Janpot force-pushed the fix/fastdeepassign-proto-pollution branch from ad1e72f to a806ff5 Compare May 27, 2026 12:30
@Janpot Janpot requested a review from romgrk May 27, 2026 13:05
@Janpot Janpot merged commit 55acea4 into mui:master May 27, 2026
18 checks passed
@zannager zannager added the package: utils Specific to the utils package. label May 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@romgrk romgrk romgrk approved these changes

Assignees

No one assigned

Labels

package: utils Specific to the utils package.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Janpot @romgrk @zannager