Skip to content

Potential fix for code scanning alert no. 27: Prototype-polluting assignment #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sebamar88 merged 1 commit into from
Mar 31, 2026
+6 −2
Merged

Potential fix for code scanning alert no. 27: Prototype-polluting assignment #28

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions src/utils/helpers/DiffUtils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,8 +207,12 @@
): void {
const BLOCKED_KEYS = new Set(["__proto__", "constructor", "prototype"]);
const keys = path.split(".");
const lastKey = keys[keys.length - 1];

Check warning on line 210 in src/utils/helpers/DiffUtils.ts

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Prefer `.at(…)` over `[….length - index]`. 


See more on https://sonarcloud.io/project/issues?id=sebamar88_bytekit&issues=AZ1FbCXAHQBP3bJ2PBEr&open=AZ1FbCXAHQBP3bJ2PBEr&pullRequest=28

if (keys.some((k) => BLOCKED_KEYS.has(k))) return;
// Reject empty paths or any segment that could lead to prototype pollution
if (!lastKey || keys.some((k) => BLOCKED_KEYS.has(k))) {
return;
}

let current = obj;

Expand All @@ -220,7 +224,7 @@
current = current[key] as Record<string, unknown>;
}

current[keys.at(-1)!] = value;
current[lastKey] = value;

Check warning

Code scanning / CodeQL

Prototype-polluting function Medium

The property chain
here
Loading
is recursively assigned to
current
Loading
without guarding against prototype pollution.

Copilot Autofix

AI 6 days ago

General approach

To harden against prototype pollution, the deep assignment function must:

  1. Reject dangerous property names in any segment of the path (already done).
  2. Avoid traversing or depending on inherited properties when creating intermediate objects.
  3. Ensure intermediate containers are safe (no implicit link to Object.prototype).

Best concrete fix in this file

Within setNestedValue:

  • Replace if (!(key in current)) with a check that only considers own properties, e.g. Object.prototype.hasOwnProperty.call(current, key). This prevents the code from following or relying on inherited properties that might be polluted.
  • Keep the existing blocking of __proto__, constructor, and prototype and the use of Object.create(null) for new intermediate objects.
  • We do not need new imports; Object.prototype.hasOwnProperty is globally available.
  • The external behavior remains the same for normal objects: if an intermediate key is absent as an own property, we still create an object; if it exists as an own property, we reuse it. The only change is that inherited properties are now treated as absent, which is safer and consistent with typical expectations for nested data structures.

Specific change

In src/utils/helpers/DiffUtils.ts, in setNestedValue, adjust the loop over keys so that:

if (!(key in current)) {
    current[key] = Object.create(null);
}

becomes:

if (!Object.prototype.hasOwnProperty.call(current, key)) {
    current[key] = Object.create(null);
}

No other changes are needed.

Suggested changeset 1
src/utils/helpers/DiffUtils.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/utils/helpers/DiffUtils.ts b/src/utils/helpers/DiffUtils.ts
--- a/src/utils/helpers/DiffUtils.ts
+++ b/src/utils/helpers/DiffUtils.ts
@@ -218,7 +218,7 @@
 
         for (let i = 0; i < keys.length - 1; i++) {
             const key = keys[i];
-            if (!(key in current)) {
+            if (!Object.prototype.hasOwnProperty.call(current, key)) {
                 current[key] = Object.create(null);
             }
             current = current[key] as Record<string, unknown>;
EOF
@@ -218,7 +218,7 @@

for (let i = 0; i < keys.length - 1; i++) {
const key = keys[i];
if (!(key in current)) {
if (!Object.prototype.hasOwnProperty.call(current, key)) {
current[key] = Object.create(null);
}
current = current[key] as Record<string, unknown>;
Copilot is powered by AI and may make mistakes. Always verify output.

Check warning

Code scanning / CodeQL

Prototype-polluting assignment Medium

This assignment may alter Object.prototype if a malicious '__proto__' string is injected from
library input
Loading
.

Copilot Autofix

AI 6 days ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

}

/**
Expand Down
Loading