fix(utils): prevent prototype pollution in deepMerge

Author: Dremig

packages/utils/src/__tests__/utils.spec.ts

@@ -604,6 +604,19 @@ describe('Service/Utilies', () => {
         e: 2,
       });
     });
+
+    it('should ignore prototype pollution keys while merging objects', () => {
+      delete (Object.prototype as any).polluted;
+
+      const input1 = {};
+      const input2 = JSON.parse('{"__proto__":{"polluted":"yes"},"constructor":{"prototype":{"polluted":"yes"}},"prototype":{"polluted":"yes"}}');
+
+      const output = deepMerge(input1, input2);
+
+      expect(output).toEqual({});
+      expect((Object.prototype as any).polluted).toBeUndefined();
+      expect(({} as any).polluted).toBeUndefined();
+    });
   });
 
   describe('emptyObject() method', () => {

packages/utils/src/utils.ts

@@ -1,5 +1,7 @@
 import type { AnyFunction } from './models/types.js';
 
+const unsafeMergeKeys = new Set(['__proto__', 'constructor', 'prototype']);
+
 /**
  * Add an item to an array only when the item does not exists, when the item is an object we will be using their "id" to compare
  * @param inputArray
@@ -107,7 +109,7 @@ export function deepMerge(target: any, ...sources: any[]): any {
 
   if (isObject(target) && isObject(source)) {
     Object.keys(source).forEach((prop) => {
-      if (source.hasOwnProperty(prop)) {
+      if (Object.prototype.hasOwnProperty.call(source, prop) && !unsafeMergeKeys.has(prop)) {
         if (prop in target) {
           // handling merging of two properties with equal names
           if (typeof (target as any)[prop] !== 'object') {