Merge pull request #26 from script-development/security/deepcopy-prototype-pollution

security(helpers): filter __proto__ and constructor in deepCopy

Author: Goosterhof

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@script-development/fs-helpers",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Tree-shakeable shared utility helpers: deep copy, type guards, and case conversion",
   "homepage": "https://packages.script.nl/packages/helpers",
   "license": "MIT",

packages/helpers/package.json

@@ -18,6 +18,10 @@ export type Writable<T> = T extends WritablePrimitive
  *
  * Handles: primitives, plain objects, arrays, Date, null.
  * Does NOT handle: Map, Set, RegExp, functions, circular references.
+ *
+ * Security: skips `__proto__` and `constructor` keys to prevent prototype
+ * pollution when copying untrusted input (e.g., `JSON.parse` of external
+ * data, where these keys are treated as literal own properties).
  */
 export const deepCopy = <T>(toCopy: T): Writable<T> => {
   if (typeof toCopy !== "object" || toCopy === null) return toCopy as Writable<T>;
@@ -29,6 +33,7 @@ export const deepCopy = <T>(toCopy: T): Writable<T> => {
   const copiedObject: Record<string, unknown> = {};
 
   for (const key of Object.keys(toCopy)) {
+    if (key === "__proto__" || key === "constructor") continue;
     copiedObject[key] = deepCopy((toCopy as Record<string, unknown>)[key]);
   }
 

packages/helpers/src/deep-copy.ts

@@ -70,4 +70,41 @@ describe("deepCopy", () => {
     expect(copy.b.c).toBe(99);
     expect(original.a).toBe(1);
   });
+
+  describe("prototype pollution resistance", () => {
+    it("should not set the prototype from a JSON-parsed __proto__ key", () => {
+      // JSON.parse treats __proto__ as a literal own property, unlike object literals.
+      const malicious = JSON.parse('{"__proto__": {"polluted": "yes"}}') as Record<string, unknown>;
+
+      const copy = deepCopy(malicious) as Record<string, unknown>;
+
+      expect(Object.getPrototypeOf(copy)).toBe(Object.prototype);
+      expect(copy.polluted).toBeUndefined();
+    });
+
+    it("should not copy a literal constructor key from external data", () => {
+      const malicious = JSON.parse('{"constructor": {"prototype": {"polluted": "yes"}}}') as Record<
+        string,
+        unknown
+      >;
+
+      const copy = deepCopy(malicious);
+
+      expect(Object.hasOwn(copy, "constructor")).toBe(false);
+      // Sanity: ensure Object.prototype was not polluted by the copy operation.
+      expect(({} as Record<string, unknown>).polluted).toBeUndefined();
+    });
+
+    it("should preserve safe keys when dangerous keys are present", () => {
+      const malicious = JSON.parse(
+        '{"__proto__": {"polluted": "yes"}, "safe": 1, "other": "keep"}',
+      ) as Record<string, unknown>;
+
+      const copy = deepCopy(malicious) as Record<string, unknown>;
+
+      expect(copy.safe).toBe(1);
+      expect(copy.other).toBe("keep");
+      expect(copy.polluted).toBeUndefined();
+    });
+  });
 });