Merge branch 'main' into security/stream-request-honors-credentials

Goosterhof · web-flow · commit d8fbed430d87 · 2026-04-13T13:43:17.000+02:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/helpers/package.json b/packages/helpers/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@script-development/fs-helpers",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Tree-shakeable shared utility helpers: deep copy, type guards, and case conversion",
   "homepage": "https://packages.script.nl/packages/helpers",
   "license": "MIT",
diff --git a/packages/helpers/src/deep-copy.ts b/packages/helpers/src/deep-copy.ts
@@ -18,6 +18,10 @@ export type Writable<T> = T extends WritablePrimitive
  *
  * Handles: primitives, plain objects, arrays, Date, null.
  * Does NOT handle: Map, Set, RegExp, functions, circular references.
+ *
+ * Security: skips `__proto__` and `constructor` keys to prevent prototype
+ * pollution when copying untrusted input (e.g., `JSON.parse` of external
+ * data, where these keys are treated as literal own properties).
  */
 export const deepCopy = <T>(toCopy: T): Writable<T> => {
   if (typeof toCopy !== "object" || toCopy === null) return toCopy as Writable<T>;
@@ -29,6 +33,7 @@ export const deepCopy = <T>(toCopy: T): Writable<T> => {
   const copiedObject: Record<string, unknown> = {};
 
   for (const key of Object.keys(toCopy)) {
+    if (key === "__proto__" || key === "constructor") continue;
     copiedObject[key] = deepCopy((toCopy as Record<string, unknown>)[key]);
   }
 
diff --git a/packages/helpers/tests/deep-copy.spec.ts b/packages/helpers/tests/deep-copy.spec.ts
@@ -70,4 +70,41 @@ describe("deepCopy", () => {
     expect(copy.b.c).toBe(99);
     expect(original.a).toBe(1);
   });
+
+  describe("prototype pollution resistance", () => {
+    it("should not set the prototype from a JSON-parsed __proto__ key", () => {
+      // JSON.parse treats __proto__ as a literal own property, unlike object literals.
+      const malicious = JSON.parse('{"__proto__": {"polluted": "yes"}}') as Record<string, unknown>;
+
+      const copy = deepCopy(malicious) as Record<string, unknown>;
+
+      expect(Object.getPrototypeOf(copy)).toBe(Object.prototype);
+      expect(copy.polluted).toBeUndefined();
+    });
+
+    it("should not copy a literal constructor key from external data", () => {
+      const malicious = JSON.parse('{"constructor": {"prototype": {"polluted": "yes"}}}') as Record<
+        string,
+        unknown
+      >;
+
+      const copy = deepCopy(malicious);
+
+      expect(Object.hasOwn(copy, "constructor")).toBe(false);
+      // Sanity: ensure Object.prototype was not polluted by the copy operation.
+      expect(({} as Record<string, unknown>).polluted).toBeUndefined();
+    });
+
+    it("should preserve safe keys when dangerous keys are present", () => {
+      const malicious = JSON.parse(
+        '{"__proto__": {"polluted": "yes"}, "safe": 1, "other": "keep"}',
+      ) as Record<string, unknown>;
+
+      const copy = deepCopy(malicious) as Record<string, unknown>;
+
+      expect(copy.safe).toBe(1);
+      expect(copy.other).toBe("keep");
+      expect(copy.polluted).toBeUndefined();
+    });
+  });
 });
diff --git a/packages/storage/package.json b/packages/storage/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@script-development/fs-storage",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Framework-agnostic localStorage service factory with prefix namespacing",
   "homepage": "https://packages.script.nl/packages/storage",
   "license": "MIT",
diff --git a/packages/storage/src/storage.ts b/packages/storage/src/storage.ts
@@ -1,6 +1,12 @@
 import type { StorageService, Get } from "./types";
 
 export const createStorageService = (prefix: string): StorageService => {
+  if (prefix.includes(":")) {
+    throw new Error(
+      `createStorageService: prefix must not contain ":" — got ${JSON.stringify(prefix)}. The colon is reserved as the prefix/key separator; a prefix containing ":" would allow clear() to match and delete keys from other prefixes (e.g., prefix "app" would delete everything stored under "app:admin").`,
+    );
+  }
+
   const prefixKey = (key: string): string => `${prefix}:${key}`;
 
   const put = (key: string, value: unknown): void => {
diff --git a/packages/storage/tests/storage.spec.ts b/packages/storage/tests/storage.spec.ts
@@ -28,6 +28,16 @@ describe("storage service", () => {
       expect(storage).toHaveProperty("remove");
       expect(storage).toHaveProperty("clear");
     });
+
+    it("should throw when the prefix contains a colon", () => {
+      expect(() => createStorageService("app:admin")).toThrow(/must not contain ":"/u);
+      expect(() => createStorageService(":leading")).toThrow(/must not contain ":"/u);
+      expect(() => createStorageService("trailing:")).toThrow(/must not contain ":"/u);
+    });
+
+    it("should include the offending prefix in the error message", () => {
+      expect(() => createStorageService("bad:prefix")).toThrow(/"bad:prefix"/u);
+    });
   });
 
   describe("put", () => {

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@script-development/fs-helpers",`
`3`		`- "version": "0.1.0",`
	`3`	`+ "version": "0.1.1",`
`4`	`4`	`"description": "Tree-shakeable shared utility helpers: deep copy, type guards, and case conversion",`
`5`	`5`	`"homepage": "https://packages.script.nl/packages/helpers",`
`6`	`6`	`"license": "MIT",`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@script-development/fs-storage",`
`3`		`- "version": "0.1.0",`
	`3`	`+ "version": "0.1.1",`
`4`	`4`	`"description": "Framework-agnostic localStorage service factory with prefix namespacing",`
`5`	`5`	`"homepage": "https://packages.script.nl/packages/storage",`
`6`	`6`	`"license": "MIT",`