Skip to content

fix: prevent prototype pollution in objDeepCopy/objCopyProps#563

Closed
MSNev wants to merge 1 commit into
nevware21:mainfrom
MSNev:MSNev/CVE-2026-46681
Closed

fix: prevent prototype pollution in objDeepCopy/objCopyProps#563
MSNev wants to merge 1 commit into
nevware21:mainfrom
MSNev:MSNev/CVE-2026-46681

Conversation

@MSNev
Copy link
Copy Markdown
Contributor

@MSNev MSNev commented May 16, 2026

Restrict _copyProps to only copy own properties using objHasOwnProperty and skip dangerous keys (proto, constructor, prototype) to prevent prototype pollution attacks during deep copy operations.

@MSNev
fix: prevent prototype pollution in objDeepCopy/objCopyProps
1a47e79 
Restrict _copyProps to only copy own properties using objHasOwnProperty
and skip dangerous keys (__proto__, constructor, prototype) to prevent
prototype pollution attacks during deep copy operations.
@MSNev MSNev added this to the 0.14.0 milestone May 16, 2026
Copilot AI review requested due to automatic review settings May 16, 2026 01:34
@MSNev MSNev requested review from a team as code owners May 16, 2026 01:34
Copilot AI reviewed May 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a prototype pollution vulnerability in objDeepCopy/objCopyProps by restricting copies to own properties and excluding dangerous keys (__proto__, constructor, prototype). It also adds a cross-env NODE_OPTIONS=--no-experimental-strip-types prefix to the node test scripts (presumably to keep ts-mocha working on newer Node versions).

Changes:

  • In _copyProps, guard the iteration with objHasOwnProperty and skip __proto__, constructor, and prototype keys.
  • Import the corresponding constants and the objHasOwnProperty helper.
  • Update test:node / test:node_esnext to disable Node's experimental type-stripping via cross-env.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
lib/src/object/copy.ts Restrict _copyProps to own, non-dangerous properties to prevent prototype pollution.
package.json Wrap node test scripts with cross-env NODE_OPTIONS=--no-experimental-strip-types to ensure ts-mocha runs correctly.

@nev21
Copy link
Copy Markdown
Contributor

nev21 commented May 16, 2026

I've taken over this fix to provide a more comprehensive solutions with #565

@nev21 nev21 closed this May 16, 2026
@nev21 nev21 removed this from the 0.14.0 milestone May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MSNev @nev21