fix(utils): prevent prototype pollution in deepMerge

[Dremig]

fixes #2629

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.0%. Comparing base (b9ce077) to head (66b54e7).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2630   +/-   ##
=======================================
  Coverage   100.0%   100.0%           
=======================================
  Files         200      200           
  Lines       25285    25286    +1     
  Branches     8945     8945           
=======================================
+ Hits        25283    25284    +1     
  Misses          2        2           

Flag	Coverage Δ
angular	100.0% <ø> (ø)
universal	100.0% <100.0%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[pkg-pr-new]

angular-slickgrid

npm i https://pkg.pr.new/angular-slickgrid@2630

aurelia-slickgrid

npm i https://pkg.pr.new/aurelia-slickgrid@2630

slickgrid-react

npm i https://pkg.pr.new/slickgrid-react@2630

slickgrid-vue

npm i https://pkg.pr.new/slickgrid-vue@2630

@slickgrid-universal/angular-row-detail-plugin

npm i https://pkg.pr.new/@slickgrid-universal/angular-row-detail-plugin@2630

@slickgrid-universal/aurelia-row-detail-plugin

npm i https://pkg.pr.new/@slickgrid-universal/aurelia-row-detail-plugin@2630

@slickgrid-universal/react-row-detail-plugin

npm i https://pkg.pr.new/@slickgrid-universal/react-row-detail-plugin@2630

@slickgrid-universal/vue-row-detail-plugin

npm i https://pkg.pr.new/@slickgrid-universal/vue-row-detail-plugin@2630

@slickgrid-universal/binding

npm i https://pkg.pr.new/@slickgrid-universal/binding@2630

@slickgrid-universal/common

npm i https://pkg.pr.new/@slickgrid-universal/common@2630

@slickgrid-universal/composite-editor-component

npm i https://pkg.pr.new/@slickgrid-universal/composite-editor-component@2630

@slickgrid-universal/custom-footer-component

npm i https://pkg.pr.new/@slickgrid-universal/custom-footer-component@2630

@slickgrid-universal/custom-tooltip-plugin

npm i https://pkg.pr.new/@slickgrid-universal/custom-tooltip-plugin@2630

@slickgrid-universal/empty-warning-component

npm i https://pkg.pr.new/@slickgrid-universal/empty-warning-component@2630

@slickgrid-universal/event-pub-sub

npm i https://pkg.pr.new/@slickgrid-universal/event-pub-sub@2630

@slickgrid-universal/excel-export

npm i https://pkg.pr.new/@slickgrid-universal/excel-export@2630

@slickgrid-universal/graphql

npm i https://pkg.pr.new/@slickgrid-universal/graphql@2630

@slickgrid-universal/odata

npm i https://pkg.pr.new/@slickgrid-universal/odata@2630

@slickgrid-universal/pagination-component

npm i https://pkg.pr.new/@slickgrid-universal/pagination-component@2630

@slickgrid-universal/pdf-export

npm i https://pkg.pr.new/@slickgrid-universal/pdf-export@2630

@slickgrid-universal/row-detail-view-plugin

npm i https://pkg.pr.new/@slickgrid-universal/row-detail-view-plugin@2630

@slickgrid-universal/rxjs-observable

npm i https://pkg.pr.new/@slickgrid-universal/rxjs-observable@2630

@slickgrid-universal/sql

npm i https://pkg.pr.new/@slickgrid-universal/sql@2630

@slickgrid-universal/text-export

npm i https://pkg.pr.new/@slickgrid-universal/text-export@2630

@slickgrid-universal/utils

npm i https://pkg.pr.new/@slickgrid-universal/utils@2630

@slickgrid-universal/vanilla-bundle

npm i https://pkg.pr.new/@slickgrid-universal/vanilla-bundle@2630

@slickgrid-universal/vanilla-force-bundle

npm i https://pkg.pr.new/@slickgrid-universal/vanilla-force-bundle@2630

@slickgrid-universal/web-mcp

npm i https://pkg.pr.new/@slickgrid-universal/web-mcp@2630

commit: 66b54e7

[ghiscoding]

Thanks but asking the AI, it says the following:

What still remains an issue

• prop in target is still present.
  Even though the obvious “dangerous key names” are skipped, using in means the merge behavior depends on inherited properties. That’s not the same as __proto__ mutation, but it can still cause correctness/security problems:
  • If prop exists on the prototype chain for some objects, you may merge/recursively merge in a way you didn’t intend.
  • It can also create surprising behavior that could become exploitable depending on what other “gadgets” exist in the app.
    So: your patch likely fixes the specific __proto__ pollution PoC, but it is not the fully robust “prototype-pollution-safe” pattern.

What I would change in the proposal (small but important)
If you want the patch to be solid, adjust just these two things:

1. Replace prop in target with an own-property check:

if (Object.prototype.hasOwnProperty.call(target, prop)) { ... }

2. Only deep-merge plain objects (optional but strongly recommended):

• recurse only when both sides are plain objects; otherwise assign/concat.
  If you paste the current isObject() and the datagrid integration points (what data is fed into deepMerge), I can tell you whether the “plain object restriction” is necessary for your case and what the most likely gadget paths are.

[Dremig]

@ghiscoding Good point about prop in target.

I updated the patch to use Object.prototype.hasOwnProperty.call(target, prop) instead, so inherited target properties are no longer considered merge targets. I also added a regression test to make sure deepMerge() does not recursively merge into inherited target properties.

I kept the plain-object restriction out of this PR for now because it may be a broader behavioral change for existing users of deepMerge(). This patch focuses on the prototype-pollution fix and the inherited-property issue while keeping compatibility risk low.

[ghiscoding]

ok let's go with that, did you intend to do more PRs or should I push a patch release with this?

[Dremig]

Thanks! I only found this specific issue during my scan, so I do not plan to open more PRs for now.

A patch release with this fix would be great.

Also, as a small process suggestion, would you consider adding a SECURITY.md file and enabling GitHub Private Vulnerability Reporting for this repository? That would give researchers a clear private channel for future security reports.

If you consider this issue security-relevant, I would also appreciate it if you could publish a GitHub Security Advisory for it, so affected users can be properly notified and the fix can be tracked through the usual advisory workflow.

Thanks again for the quick response and review!

[github-actions]

🎉 This pull request is included in version 10.8.2 📦
🔗 The release notes are available at: GitHub Release 🚀