Hardening against prototype pollution

[GrahamCampbell]

No description provided.

[Copilot]

Pull request overview

This PR hardens Compose against prototype pollution and inherited-property edge cases by introducing “safe object” utilities, normalizing persisted state, and tightening how services/outputs/commands are resolved across the runtime.

Changes:

• Add safe-object utilities (null-prototype registries, own-property checks, safe shallow assign, own-only path lookup).
• Normalize local/S3 state on read and enforce reserved component/service id handling in state and component resolution.
• Expand unit tests to cover reserved keys (__proto__, constructor, prototype), inherited properties, and null-prototype registries.

Reviewed changes

Copilot reviewed 19 out of 19 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/utils/safe-object.js	New utilities for null-prototype registries, own checks, safe assignment, and own-only path access.
src/state/normalize-state.js	New state normalization to drop reserved component ids and ensure safe component registries.
src/state/S3StateStorage.js	Normalize remote state after JSON parse (and on missing key).
src/state/LocalStateStorage.js	Normalize local state after file read (and on missing file).
src/state/BaseStateStorage.js	Enforce reserved component ids on write; use own-property checks and null-prototype registries for components/outputs.
src/configuration/validate.js	Ensure services is an own property; reject reserved service aliases; ignore inherited framework keys.
src/cli/Progresses.js	Store progresses in a null-prototype registry and avoid inherited-key lookups.
src/Context.js	Store componentCommandsOutcomes in a null-prototype registry.
src/ComponentsService.js	Replace Ramda path with own-only lookup; use null-prototype maps; reject reserved aliases; avoid inherited output paths and inherited commands.
test/unit/src/utils/safe-object.test.js	New unit tests for safe-object utilities and prototype-pollution cases.
test/unit/src/state/normalize-state.test.js	New unit tests for state normalization behavior.
test/unit/src/state/S3StateStorage.test.js	Verify normalized components registry and reserved-id stripping on remote state.
test/unit/src/state/LocalStateStorage.test.js	New tests for local state normalization / reserved-id stripping.
test/unit/src/state/BaseStateStorage.test.js	New tests for reserved-id handling and null-prototype registries in state storage.
test/unit/src/configuration/validate.test.js	Add tests for inherited services, inherited framework keys, and reserved aliases.
test/unit/src/configuration/read.test.js	Ensure nested unsafe keys are preserved as own data when reading configuration.
test/unit/src/components-service.test.js	Add tests for inherited keys/paths/commands and reserved alias handling.
test/unit/src/cli/Progresses.test.js	Validate null-prototype progresses registry behavior.
test/unit/src/Context.test.js	Ensure output rendering works with null-prototype maps.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.