Version 1.1.37 (#1594)

sinclairzx81 · homanp · web-flow · commit 55b4cc974778 · 2026-05-01T23:10:06.000+09:00
* Prototype Pollution Guards on Value

* ChangeLog

* Version

---------

Co-authored-by: homanp &lt;homanp@gmail.com&gt;
diff --git a/changelog/1.1.0.md b/changelog/1.1.0.md
@@ -3,6 +3,8 @@
 ---
 
 ### Version Updates
+- [Revision 1.1.37](https://github.com/sinclairzx81/typebox/pull/1594)
+  - Add Prototype Pollution Guards for Value.* Functions Clone, Diff, Patch, Mutate and Pointer.
 - [Revision 1.1.36](https://github.com/sinclairzx81/typebox/pull/1592)
   - Ensure no Type Distribution when Mapping for Min/Max Tuple Elements (JSON Schema)
 - [Revision 1.1.35](https://github.com/sinclairzx81/typebox/pull/1591)
diff --git a/src/guard/guard.ts b/src/guard/guard.ts
@@ -189,10 +189,13 @@ export function TakeLeft<T, True extends (left: T, right: T[]) => unknown, False
 // --------------------------------------------------------------------------
 // Object
 // --------------------------------------------------------------------------
+/** Returns true if the PropertyKey is Unsafe (ref: prototype-pollution). */
+export function IsUnsafePropertyKey(key: PropertyKey): boolean {
+  return IsEqual(key, '__proto__') || IsEqual(key, 'constructor') || IsEqual(key, 'prototype')
+}
 /** Returns true if this value has this property key */
 export function HasPropertyKey<Key extends PropertyKey>(value: object, key: Key): value is { [_ in Key]: unknown } {
-  const isProtoField = IsEqual(key, '__proto__') || IsEqual(key, 'constructor')
-  return isProtoField ? Object.prototype.hasOwnProperty.call(value, key) : key in value
+  return IsUnsafePropertyKey(key) ? Object.prototype.hasOwnProperty.call(value, key) : key in value
 }
 /** Returns object entries as `[RegExp, Value][]` */
 export function EntriesRegExp<Value extends unknown = unknown>(value: Record<PropertyKey, Value>): [RegExp, Value][] {
@@ -202,7 +205,7 @@ export function EntriesRegExp<Value extends unknown = unknown>(value: Record<Pro
 export function Entries<Value extends unknown = unknown>(value: Record<PropertyKey, Value>): [string, Value][] {
   return Object.entries(value)
 }
-/** Returns the property keys for this object via `Object.getOwnPropertyKeys({ ... })` */
+/** Returns property keys for this object via `Object.getOwnPropertyKeys({ ... })` */
 export function Keys(value: Record<PropertyKey, unknown>): string[] {
   return Object.getOwnPropertyNames(value)
 }
diff --git a/src/schema/pointer/pointer.ts b/src/schema/pointer/pointer.ts
@@ -33,11 +33,17 @@ import { Guard } from '../../guard/index.ts'
 // ------------------------------------------------------------------
 // Asserts
 // ------------------------------------------------------------------
-function AssertNotRoot(indices: string[]) {
-  if(indices.length === 0) throw Error('Cannot set root')
+function AssertNotRoot(indices: string[]): void {
+  if (indices.length === 0) throw Error('Cannot set root')
 }
 function AssertCanSet(value: unknown): asserts value is Record<string, unknown> {
-  if(!Guard.IsObject(value)) throw Error('Cannot set value')
+  if (!Guard.IsObject(value)) throw Error('Cannot set value')
+}
+function AssertIndex(index: string): void {
+  if (Guard.IsUnsafePropertyKey(index)) throw Error('Pointer contains unsafe property key')
+}
+function AssertIndices(indices: string[]): void {
+  for (const index of indices) AssertIndex(index)
 }
 // ------------------------------------------------------------------
 // Indices
@@ -55,7 +61,7 @@ function HasIndex(index: string, value: unknown): value is Record<string, unknow
   return Guard.IsObject(value) && Guard.HasPropertyKey(value, index)
 }
 function GetIndex(index: string, value: unknown): unknown {
-  return Guard.IsObject(value) ? value[index] : undefined
+  return Guard.IsObject(value) && !Guard.IsUnsafePropertyKey(index) ? value[index] : undefined
 }
 function GetIndices(indices: string[], value: unknown): unknown {
   return indices.reduce((value, index) => GetIndex(index, value), value)
@@ -76,7 +82,7 @@ export function Indices(pointer: string): string[] {
 export function Has(value: unknown, pointer: string): unknown {
   let current = value
   return Indices(pointer).every(index => {
-    if(!HasIndex(index, current)) return false
+    if (!HasIndex(index, current)) return false
     current = current[index]
     return true
   })
@@ -96,6 +102,7 @@ export function Get(value: unknown, pointer: string): unknown {
 export function Set(value: unknown, pointer: string, next: unknown): unknown {
   const indices = Indices(pointer)
   AssertNotRoot(indices)
+  AssertIndices(indices)
   const [head, index] = TakeIndexRight(indices)
   const parent = GetIndices(head, value)
   AssertCanSet(parent)
@@ -109,10 +116,11 @@ export function Set(value: unknown, pointer: string, next: unknown): unknown {
 export function Delete(value: unknown, pointer: string): unknown {
   const indices = Indices(pointer)
   AssertNotRoot(indices)
+  AssertIndices(indices)
   const [head, index] = TakeIndexRight(indices)
   const parent = GetIndices(head, value)
   AssertCanSet(parent)
-  if(Guard.IsArray(parent) && IsNumericIndex(index)) {
+  if (Guard.IsArray(parent) && IsNumericIndex(index)) {
     parent.splice(+index, 1)
   } else {
     delete parent[index]
diff --git a/src/value/clone/clone.ts b/src/value/clone/clone.ts
@@ -48,16 +48,15 @@ function FromClassInstance(value: Record<PropertyKey, unknown>): Record<Property
 // ------------------------------------------------------------------
 function FromObjectInstance(value: Record<PropertyKey, unknown>): Record<PropertyKey, unknown> {
   const result = {} as Record<PropertyKey, unknown>
-  for (const key of Object.getOwnPropertyNames(value)) {
+  for (const key of Guard.Keys(value)) {
+    if (Guard.IsUnsafePropertyKey(key)) continue // (ignore: prototype-pollution)
     result[key] = Clone(value[key])
   }
-  for (const key of Object.getOwnPropertySymbols(value)) {
+  for (const key of Guard.Symbols(value)) {
     result[key] = Clone(value[key])
   }
   return result
 }
-
-Object.create({})
 // ------------------------------------------------------------------
 // Object
 // ------------------------------------------------------------------
diff --git a/src/value/delta/diff.ts b/src/value/delta/diff.ts
@@ -66,13 +66,15 @@ function* FromObject(path: string, left: Record<PropertyKey, unknown>, right: un
   // ----------------------------------------------------------------
   for (const key of rightKeys) {
     if (Guard.HasPropertyKey(left, key)) continue
+    if (Guard.IsUnsafePropertyKey(key)) continue
     yield CreateInsert(`${path}/${key}`, right[key])
   }
   // ----------------------------------------------------------------
   // Update
   // ----------------------------------------------------------------
   for (const key of leftKeys) {
     if (!Guard.HasPropertyKey(right, key)) continue
+    if (Guard.IsUnsafePropertyKey(key)) continue
     if (Equal(left, right)) continue
     yield* FromValue(`${path}/${key}`, left[key], right[key])
   }
@@ -81,6 +83,7 @@ function* FromObject(path: string, left: Record<PropertyKey, unknown>, right: un
   // ----------------------------------------------------------------
   for (const key of leftKeys) {
     if (Guard.HasPropertyKey(right, key)) continue
+    if (Guard.IsUnsafePropertyKey(key)) continue
     yield CreateDelete(`${path}/${key}`)
   }
 }
@@ -107,10 +110,10 @@ function* FromArray(path: string, left: unknown[], right: unknown): IterableIter
 function* FromTypedArray(path: string, left: GlobalsGuard.TTypeArray, right: unknown): IterableIterator<TEdit> {
   const typeLeft = globalThis.Object.getPrototypeOf(left).constructor.name
   const typeRight = globalThis.Object.getPrototypeOf(right).constructor.name
-  const predicate = GlobalsGuard.IsTypeArray(right) 
+  const predicate = GlobalsGuard.IsTypeArray(right)
     && Guard.IsEqual(left.length, right.length)
     && Guard.IsEqual(typeLeft, typeRight)
-  if(predicate) {
+  if (predicate) {
     for (let index = 0; index < Math.min(left.length, right.length); index++) {
       yield* FromValue(`${path}/${index}`, left[index], right[index])
     }
@@ -132,7 +135,7 @@ function* FromValue(path: string, left: unknown, right: unknown): IterableIterat
   return (
     GlobalsGuard.IsTypeArray(left) ? yield* FromTypedArray(path, left, right) :
     Guard.IsArray(left) ? yield* FromArray(path, left, right) :
-    Guard.IsObject(left) ?  yield* FromObject(path, left, right) :
+    Guard.IsObject(left) ? yield* FromObject(path, left, right) :
     yield* FromUnknown(path, left, right)
   )
 }
diff --git a/src/value/mutate/from_object.ts b/src/value/mutate/from_object.ts
@@ -35,23 +35,35 @@ import { Clone } from '../clone/index.ts'
 import { type TMutable } from './mutate.ts'
 import { FromValue } from './from_value.ts'
 
+// ------------------------------------------------------------------
+// AssertKey
+// ------------------------------------------------------------------
+function AssertKey(key: string): void {
+  if(Guard.IsUnsafePropertyKey(key)) throw Error('Attempted to Mutate with unsafe property key')
+}
+// ------------------------------------------------------------------
+// AssertKey
+// ------------------------------------------------------------------
 export function FromObject(root: TMutable, path: string, current: unknown, next: Record<string, unknown>): void {
   if (!Guard.IsObjectNotArray(current)) {
     Pointer.Set(root, path, Clone(next))
   } else {
     const currentKeys = Guard.Keys(current)
     const nextKeys = Guard.Keys(next)
     for (const currentKey of currentKeys) {
+      AssertKey(currentKey)
       if (!nextKeys.includes(currentKey)) {
         delete current[currentKey]
       }
     }
     for (const nextKey of nextKeys) {
+      AssertKey(nextKey)
       if (!currentKeys.includes(nextKey)) {
         current[nextKey] = next[nextKey]
       }
     }
     for (const nextKey of nextKeys) {
+      AssertKey(nextKey)
       FromValue(root, `${path}/${nextKey}`, current[nextKey], next[nextKey])
     }
   }
diff --git a/tasks.ts b/tasks.ts
@@ -9,7 +9,7 @@ import { Metrics } from './task/metrics/index.ts'
 import { Spec } from './task/spec/index.ts'
 import { Task } from 'tasksmith'
 
-const Version = '1.1.36'
+const Version = '1.1.37'
 
 // ------------------------------------------------------------------
 // Build
diff --git a/test/typebox/runtime/schema/pointer/pointer.ts b/test/typebox/runtime/schema/pointer/pointer.ts
@@ -83,9 +83,9 @@ Test('Should Indices 20', () => {
   const R = [...Schema.Pointer.Indices('/x/a~1b///')]
   Assert.IsEqual(R, ['x', 'a/b', '', '', ''])
 })
-//-----------------------------------------------
+//-------------------------------------------------------------------
 // Get
-//-----------------------------------------------
+//-------------------------------------------------------------------
 Test('Should Get 1', () => {
   const V = [0, 1, 2, 3]
   Assert.IsEqual(Schema.Pointer.Get(V, ''), [0, 1, 2, 3])
@@ -108,9 +108,9 @@ Test('Should Get 2', () => {
   Assert.IsEqual(Schema.Pointer.Get(V, '/2/x'), 2)
   Assert.IsEqual(Schema.Pointer.Get(V, '/3/x'), 3)
 })
-//-----------------------------------------------
+//-------------------------------------------------------------------
 // Delete
-//-----------------------------------------------
+//-------------------------------------------------------------------
 Test('Should Delete 1', () => {
   const V = { x: {} }
   const R = Schema.Pointer.Delete(V, '/x/x')
@@ -131,9 +131,9 @@ Test('Should Delete 3', () => {
   const R = Schema.Pointer.Delete(V, '/100')
   Assert.IsEqual(R, [1, 2, 3])
 })
-//-----------------------------------------------
+//-------------------------------------------------------------------
 // Has
-//-----------------------------------------------
+//-------------------------------------------------------------------
 Test('Should Has 1', () => {
   const V: any = undefined
   Assert.IsEqual(Schema.Pointer.Has(V, ''), true)
@@ -154,9 +154,9 @@ Test('Should Has 5', () => {
   const V = { x: { y: {} } }
   Assert.IsEqual(Schema.Pointer.Has(V, '/x/y/z'), false)
 })
-//-----------------------------------------------
+//-------------------------------------------------------------------
 // Throw
-//-----------------------------------------------
+//-------------------------------------------------------------------
 Test('Should throw 1', () => {
   const V = {}
   Assert.Throws(() => Schema.Pointer.Set(V, '', { x: 1 }))
@@ -169,9 +169,9 @@ Test('Should throw 3', () => {
   const V = { x: 1 }
   Assert.Throws(() => Schema.Pointer.Set(V, '/x/y', 3))
 })
-//-----------------------------------------------
+//-------------------------------------------------------------------
 // Escapes
-//-----------------------------------------------
+//-------------------------------------------------------------------
 Test('Should support get ~0 Schema.Pointer escape', () => {
   const V = {
     x: { '~': { x: 1 } }
@@ -185,3 +185,51 @@ Test('Should support get ~1 Schema.Pointer escape', () => {
   }
   Assert.IsEqual(Schema.Pointer.Get(V, '/x/~1'), { x: 1 })
 })
+//-------------------------------------------------------------------
+// Unsafe Property Keys
+//-------------------------------------------------------------------
+Test('Should return undefined if attempting to Get an unsafe property key', () => {
+  Assert.IsEqual(Schema.Pointer.Get({}, '/__proto__'), undefined)
+  Assert.IsEqual(Schema.Pointer.Get({}, '/constructor'), undefined)
+  Assert.IsEqual(Schema.Pointer.Get({}, '/prototype'), undefined)
+})
+Test('Should return undefined if attempting to Get a nested unsafe property key', () => {
+  Assert.IsEqual(Schema.Pointer.Get({ a: {} }, '/a/__proto__'), undefined)
+  Assert.IsEqual(Schema.Pointer.Get({ a: {} }, '/a/constructor'), undefined)
+  Assert.IsEqual(Schema.Pointer.Get({ a: {} }, '/a/prototype'), undefined)
+})
+Test('Should return false if attempting to Has an unsafe property key', () => {
+  Assert.IsEqual(Schema.Pointer.Has({}, '/__proto__'), false)
+  Assert.IsEqual(Schema.Pointer.Has({}, '/constructor'), false)
+  Assert.IsEqual(Schema.Pointer.Has({}, '/prototype'), false)
+})
+Test('Should return false if attempting to Has a nested unsafe property key', () => {
+  Assert.IsEqual(Schema.Pointer.Has({ a: {} }, '/a/__proto__'), false)
+  Assert.IsEqual(Schema.Pointer.Has({ a: {} }, '/a/constructor'), false)
+  Assert.IsEqual(Schema.Pointer.Has({ a: {} }, '/a/prototype'), false)
+})
+Test('Should throw if attempting to Set an unsafe property key', () => {
+  Assert.Throws(() => Schema.Pointer.Set({}, '/__proto__', 1))
+  Assert.Throws(() => Schema.Pointer.Set({}, '/constructor', 1))
+  Assert.Throws(() => Schema.Pointer.Set({}, '/prototype', 1))
+})
+Test('Should throw if attempting to Set a nested unsafe property key', () => {
+  Assert.Throws(() => Schema.Pointer.Set({ a: {} }, '/a/__proto__', 1))
+  Assert.Throws(() => Schema.Pointer.Set({ a: {} }, '/a/constructor', 1))
+  Assert.Throws(() => Schema.Pointer.Set({ a: {} }, '/a/prototype', 1))
+})
+Test('Should throw if attempting to Delete an unsafe property key', () => {
+  Assert.Throws(() => Schema.Pointer.Delete({}, '/__proto__'))
+  Assert.Throws(() => Schema.Pointer.Delete({}, '/constructor'))
+  Assert.Throws(() => Schema.Pointer.Delete({}, '/prototype'))
+})
+Test('Should throw if attempting to Delete a nested unsafe property key', () => {
+  Assert.Throws(() => Schema.Pointer.Delete({ a: {} }, '/a/__proto__'))
+  Assert.Throws(() => Schema.Pointer.Delete({ a: {} }, '/a/constructor'))
+  Assert.Throws(() => Schema.Pointer.Delete({ a: {} }, '/a/prototype'))
+})
+Test('Should not throw for property names that contain but do not equal unsafe names', () => {
+  Assert.IsEqual(Schema.Pointer.Get({ my_constructor: 1 }, '/my_constructor'), 1)
+  Assert.IsEqual(Schema.Pointer.Get({ prototypes: 1 }, '/prototypes'), 1)
+  Assert.IsEqual(Schema.Pointer.Get({ not__proto__: 1 }, '/not__proto__'), 1)
+})
diff --git a/test/typebox/runtime/value/clone/clone.ts b/test/typebox/runtime/value/clone/clone.ts
@@ -79,3 +79,41 @@ Test('Should Clone 12', () => {
   const B = Value.Clone(A)
   Assert.IsTrue(A === B)
 })
+// ----------------------------------------------------------------
+// Pollution Guards: Ensure No Unsafe Property is Cloned
+//
+// https://github.com/sinclairzx81/typebox/pull/1593
+// ----------------------------------------------------------------
+Test('Should Clone 13', () => {
+  const A = { value: 1, constructor: 2 }
+  const B = Value.Clone(A)
+  Assert.IsEqual(B, { value: 1 })
+})
+Test('Should Clone 14', () => {
+  const A = { value: 1, prototype: 2 }
+  const B = Value.Clone(A)
+  Assert.IsEqual(B, { value: 1 })
+})
+Test('Should Clone 15', () => {
+  const A = { value: 1 }
+  Object.defineProperty(A, '__proto__', { value: 2, enumerable: true })
+  const B = Value.Clone(A)
+  Assert.IsEqual(B, { value: 1 })
+})
+// Nested
+Test('Should Clone 16', () => {
+  const A = { outer: { value: 1, constructor: 2 } }
+  const B = Value.Clone(A)
+  Assert.IsEqual(B, { outer: { value: 1 } })
+})
+Test('Should Clone 17', () => {
+  const A = { outer: { value: 1, prototype: 2 } }
+  const B = Value.Clone(A)
+  Assert.IsEqual(B, { outer: { value: 1 } })
+})
+Test('Should Clone 18', () => {
+  const A = { outer: { value: 1 } }
+  Object.defineProperty(A.outer, '__proto__', { value: 2, enumerable: true })
+  const B = Value.Clone(A)
+  Assert.IsEqual(B, { outer: { value: 1 } })
+})
diff --git a/test/typebox/runtime/value/delta/diff.ts b/test/typebox/runtime/value/delta/diff.ts
diff --git a/test/typebox/runtime/value/delta/patch.ts b/test/typebox/runtime/value/delta/patch.ts
diff --git a/test/typebox/runtime/value/mutate/mutate.ts b/test/typebox/runtime/value/mutate/mutate.ts
