fix: deny modifying the object prototype (#1698)

Author: WikiRik

src/shared/object.ts

@@ -14,7 +14,10 @@ export function deepAssign<T, S>(target: T, source: S): T & S;
 export function deepAssign<S>(target: {}, source: S): S;
 export function deepAssign(target: any, ...sources: any[]): any {
   sources.forEach((source) => {
-    Object.getOwnPropertyNames(source).forEach((key) => assign(key, target, source));
+    Object.getOwnPropertyNames(source).forEach(
+      (key) =>
+        !['__proto__', 'constructor', 'prototype'].includes(key) && assign(key, target, source)
+    );
     /* istanbul ignore next */
     if (Object.getOwnPropertySymbols) {
       Object.getOwnPropertySymbols(source).forEach((key) => assign(key, target, source));

test/specs/utils/object.spec.ts

@@ -1,5 +1,6 @@
 import { expect } from 'chai';
 import { deepAssign } from '../../../src/shared/object';
+import { addScopeOptions } from '../../../src/scopes/scope-service';
 
 describe('utils', () => {
   describe('object', () => {
@@ -109,6 +110,14 @@ describe('utils', () => {
         expect(copy.test).to.have.property('protoFn').that.is.a('function');
       });
 
+      it('ignore prototype property', () => {
+        const BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
+        const empty_scope = {};
+
+        addScopeOptions(empty_scope, BAD_JSON);
+        expect(empty_scope).not.to.have.property('polluted');
+      });
+
       if (Object.getOwnPropertySymbols) {
         it('should copy symbol based objects', () => {
           const symbol = Symbol('test');