fix: prevent prototype pollution in a number of locations

rix0rrr · rix0rrr · commit ead2606a4761 · 2026-03-30T12:03:33.000+02:00
Prototype pollution is not a realistic attack on CDK, since values never
come from untrusted sources. Nevertheless, the presence of possible
prototype pollution sites makes for a fertile ground for security
reports that we then have to look into.

Address these, in one of 3 ways:

- If we control the destination of the assignment, use
  `Object.create(null)` to a create an object literal that is not
  vulnerable to prototype pollution.
- In an assignment where we don't control the destination object, use
  `assertNoProto` to ensure the key is not `__proto__`.
- In a recursive merge function where we don't control the destination
  object, assert that the key is not one of `__proto__`, `constructor`
  or `prototype`.
diff --git a/packages/@aws-cdk/aws-amplify-alpha/lib/app.ts b/packages/@aws-cdk/aws-amplify-alpha/lib/app.ts
@@ -3,6 +3,7 @@ import type * as codebuild from 'aws-cdk-lib/aws-codebuild';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import type { IResource, SecretValue } from 'aws-cdk-lib/core';
 import { Lazy, Resource, ValidationError } from 'aws-cdk-lib/core';
+import { assertNoProto } from 'aws-cdk-lib/core/lib/helpers-internal';
 import { addConstructMetadata, MethodMetadata } from 'aws-cdk-lib/core/lib/metadata-resource';
 import { propertyInjectable } from 'aws-cdk-lib/core/lib/prop-injectable';
 import type { Construct, IConstruct } from 'constructs';
@@ -349,6 +350,7 @@ export class App extends Resource implements IApp, iam.IGrantable {
    */
   @MethodMetadata()
   public addEnvironment(name: string, value: string) {
+    assertNoProto(name);
     this.environmentVariables[name] = value;
     return this;
   }
@@ -361,6 +363,7 @@ export class App extends Resource implements IApp, iam.IGrantable {
    */
   @MethodMetadata()
   public addAutoBranchEnvironment(name: string, value: string) {
+    assertNoProto(name);
     this.autoBranchEnvironmentVariables[name] = value;
     return this;
   }
diff --git a/packages/@aws-cdk/aws-amplify-alpha/lib/branch.ts b/packages/@aws-cdk/aws-amplify-alpha/lib/branch.ts
@@ -12,6 +12,7 @@ import {
   Stack,
   ValidationError,
 } from 'aws-cdk-lib/core';
+import { assertNoProto } from 'aws-cdk-lib/core/lib/helpers-internal';
 import { addConstructMetadata, MethodMetadata } from 'aws-cdk-lib/core/lib/metadata-resource';
 import { propertyInjectable } from 'aws-cdk-lib/core/lib/prop-injectable';
 import { Provider } from 'aws-cdk-lib/custom-resources';
@@ -248,6 +249,7 @@ export class Branch extends Resource implements IBranch {
    */
   @MethodMetadata()
   public addEnvironment(name: string, value: string) {
+    assertNoProto(name);
     this.environmentVariables[name] = value;
     return this;
   }
diff --git a/packages/@aws-cdk/aws-glue-alpha/lib/connection.ts b/packages/@aws-cdk/aws-glue-alpha/lib/connection.ts
@@ -1,7 +1,7 @@
 import type * as ec2 from 'aws-cdk-lib/aws-ec2';
 import { CfnConnection } from 'aws-cdk-lib/aws-glue';
 import * as cdk from 'aws-cdk-lib/core';
-import { memoizedGetter } from 'aws-cdk-lib/core/lib/helpers-internal';
+import { assertNoProto, memoizedGetter } from 'aws-cdk-lib/core/lib/helpers-internal';
 import { addConstructMetadata, MethodMetadata } from 'aws-cdk-lib/core/lib/metadata-resource';
 import { propertyInjectable } from 'aws-cdk-lib/core/lib/prop-injectable';
 import type * as constructs from 'constructs';
@@ -406,6 +406,7 @@ export class Connection extends cdk.Resource implements IConnection {
    */
   @MethodMetadata()
   public addProperty(key: string, value: string): void {
+    assertNoProto(key);
     this.properties[key] = value;
   }
 }
diff --git a/packages/@aws-cdk/aws-redshift-alpha/lib/parameter-group.ts b/packages/@aws-cdk/aws-redshift-alpha/lib/parameter-group.ts
@@ -2,6 +2,7 @@ import { CfnClusterParameterGroup } from 'aws-cdk-lib/aws-redshift';
 import type { IResource } from 'aws-cdk-lib/core';
 import { Resource, ValidationError } from 'aws-cdk-lib/core';
 import { addConstructMetadata, MethodMetadata } from 'aws-cdk-lib/core/lib/metadata-resource';
+import { assertNoProto } from 'aws-cdk-lib/core/lib/private/prototype-pollution';
 import { propertyInjectable } from 'aws-cdk-lib/core/lib/prop-injectable';
 import type { Construct } from 'constructs';
 
@@ -106,6 +107,7 @@ export class ClusterParameterGroup extends ClusterParameterGroupBase {
    */
   @MethodMetadata()
   public addParameter(name: string, value: string): void {
+    assertNoProto(name);
     const existingValue = Object.entries(this.parameters).find(([key, _]) => key === name)?.[1];
     if (existingValue === undefined) {
       this.parameters[name] = value;
diff --git a/packages/@aws-cdk/custom-resource-handlers/lib/custom-resources/aws-custom-resource-handler/utils.ts b/packages/@aws-cdk/custom-resource-handlers/lib/custom-resources/aws-custom-resource-handler/utils.ts
@@ -25,6 +25,9 @@ export function decodeSpecialValues(object: object, physicalResourceId: string):
     }
     if (x && typeof x === 'object') {
       for (const [key, value] of Object.entries(x)) {
+        if (['__proto__', 'prototype', 'constructor'].includes(key)) {
+          throw new Error(`Unsafe key: ${key}`);
+        }
         x[key] = recurse(value);
       }
       return x;
diff --git a/packages/@aws-cdk/integ-tests-alpha/lib/assertions/providers/lambda-handler/utils.ts b/packages/@aws-cdk/integ-tests-alpha/lib/assertions/providers/lambda-handler/utils.ts
@@ -1,3 +1,5 @@
+import { assertNoProtoRec } from 'aws-cdk-lib/core/lib/helpers-internal';
+
 /**
  * Recurse into the given object, trying to parse any string as JSON
  */
@@ -12,6 +14,7 @@ export function deepParseJson(x: unknown): unknown {
   }
   if (x && typeof x === 'object') {
     for (const [key, value] of Object.entries(x)) {
+      assertNoProtoRec(key);
       (x as any)[key] = deepParseJson(value);
     }
 
diff --git a/packages/aws-cdk-lib/aws-apigatewayv2/lib/common/base.ts b/packages/aws-cdk-lib/aws-apigatewayv2/lib/common/base.ts
@@ -34,7 +34,7 @@ export abstract class ApiBase extends Resource implements IApi {
  * @internal
  */
 export abstract class StageBase extends Resource implements IStage {
-  private stageVariables: { [key: string]: string } = {};
+  private stageVariables: { [key: string]: string } = Object.create(null); // Prevent prototype pollution
   public abstract readonly stageName: string;
   protected abstract readonly baseApi: IApi;
 
diff --git a/packages/aws-cdk-lib/aws-apigatewayv2/lib/parameter-mapping.ts b/packages/aws-cdk-lib/aws-apigatewayv2/lib/parameter-mapping.ts
@@ -86,8 +86,10 @@ export class ParameterMapping {
    * Represents all created parameter mappings.
    */
   public readonly mappings: { [key: string]: string };
+
   constructor() {
-    this.mappings = {};
+    // Prevent prototype pollution
+    this.mappings = Object.create(null);
   }
 
   /**
diff --git a/packages/aws-cdk-lib/aws-appsync/lib/graphqlapi.ts b/packages/aws-cdk-lib/aws-appsync/lib/graphqlapi.ts
@@ -686,7 +686,7 @@ export class GraphqlApi extends GraphqlApiBase {
   private apiKeyResource?: CfnApiKey;
   private domainNameResource?: CfnDomainName;
   private mergedApiExecutionRole?: IRole;
-  private environmentVariables: { [key: string]: string } = {};
+  private environmentVariables: { [key: string]: string } = Object.create(null); // Prevent prototype pollution
 
   constructor(scope: Construct, id: string, props: GraphqlApiProps) {
     super(scope, id);
diff --git a/packages/aws-cdk-lib/aws-codebuild/lib/build-spec.ts b/packages/aws-cdk-lib/aws-codebuild/lib/build-spec.ts
@@ -4,6 +4,7 @@ import type { Project } from './project';
 import * as s3_assets from '../../aws-s3-assets';
 import type { IResolveContext } from '../../core';
 import { Lazy, Stack, UnscopedValidationError } from '../../core';
+import { assertNoProtoRec } from '../../core/lib/private/prototype-pollution';
 
 /**
  * BuildSpec for CodeBuild projects
@@ -251,6 +252,7 @@ function mergeDeep(lhs: any, rhs: any): any {
   if (isObject(lhs) && isObject(rhs)) {
     const ret: any = { ...lhs };
     for (const k of Object.keys(rhs)) {
+      assertNoProtoRec(k);
       ret[k] = k in lhs ? mergeDeep(lhs[k], rhs[k]) : rhs[k];
     }
     return ret;
diff --git a/packages/aws-cdk-lib/aws-codepipeline/lib/artifact.ts b/packages/aws-cdk-lib/aws-codepipeline/lib/artifact.ts
@@ -23,7 +23,7 @@ export class Artifact {
 
   private _artifactName?: string;
   private _artifactFiles?: string[];
-  private readonly metadata: { [key: string]: any } = {};
+  private readonly metadata: { [key: string]: any } = Object.create(null); // Prevent prototype pollution
 
   /**
    * An output artifact of an action. Artifacts can be used as input by some actions.
diff --git a/packages/aws-cdk-lib/aws-ec2/lib/cfn-init-elements.ts b/packages/aws-cdk-lib/aws-ec2/lib/cfn-init-elements.ts
@@ -30,7 +30,7 @@ export class InitServiceRestartHandle {
   private readonly commands = new Array<string>();
   private readonly files = new Array<string>();
   private readonly sources = new Array<string>();
-  private readonly packages: Record<string, string[]> = {};
+  private readonly packages: Record<string, string[]> = Object.create(null); // Prevent prototype pollution
 
   /**
    * Add a command key to the restart set
diff --git a/packages/aws-cdk-lib/aws-ecs/lib/container-definition.ts b/packages/aws-cdk-lib/aws-ecs/lib/container-definition.ts
@@ -607,13 +607,11 @@ export class ContainerDefinition extends Construct {
       }
     }
 
-    this.dockerLabels = { ...props.dockerLabels };
+    this.dockerLabels = Object.create(null); // Prevent prototype pollution
+    Object.assign(this.dockerLabels, props.dockerLabels);
 
-    if (props.environment) {
-      this.environment = { ...props.environment };
-    } else {
-      this.environment = {};
-    }
+    this.environment = Object.create(null); // Prevent prototype pollution
+    Object.assign(this.environment, props.environment);
 
     if (props.environmentFiles) {
       this.environmentFiles = [];
diff --git a/packages/aws-cdk-lib/aws-ecs/lib/log-drivers/utils.ts b/packages/aws-cdk-lib/aws-ecs/lib/log-drivers/utils.ts
@@ -36,7 +36,7 @@ export function ensureInRange(val: number, start: number, end: number) {
 }
 
 export function stringifyOptions(options: { [key: string]: (SecretValue | Duration | string | string[] | number | boolean | undefined) }) {
-  const _options: { [key: string]: string } = {};
+  const _options: { [key: string]: string } = Object.create(null);
   const filteredOptions = removeEmpty(options);
 
   for (const [key, value] of Object.entries(filteredOptions)) {
diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/base-listener.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/base-listener.ts
@@ -129,7 +129,7 @@ export abstract class BaseListener extends Resource implements IListener {
   /**
    * Attributes set on this listener
    */
-  private readonly attributes: Attributes = {};
+  private readonly attributes: Attributes = Object.create(null); // Prevent prototype pollution
 
   private defaultAction?: IListenerAction;
 
diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts
@@ -318,7 +318,7 @@ export abstract class BaseLoadBalancer extends Resource {
   /**
    * Attributes set on this load balancer
    */
-  private readonly attributes: Attributes = {};
+  private readonly attributes: Attributes = Object.create(null);
 
   constructor(scope: Construct, id: string, baseProps: BaseLoadBalancerProps, additionalProps: any) {
     super(scope, id, {
diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/base-target-group.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/base-target-group.ts
@@ -309,7 +309,7 @@ export abstract class TargetGroupBase extends Construct implements ITargetGroup
   /**
    * Attributes of this target group
    */
-  private readonly attributes: Attributes = {};
+  private readonly attributes: Attributes = Object.create(null);
 
   /**
    * The JSON objects returned by the directly registered members of this target group
diff --git a/packages/aws-cdk-lib/aws-events/lib/util.ts b/packages/aws-cdk-lib/aws-events/lib/util.ts
@@ -1,5 +1,6 @@
 import type { EventPattern } from './event-pattern';
 import { UnscopedValidationError } from '../../core';
+import { assertNoProtoRec } from '../../core/lib/private/prototype-pollution';
 
 /**
  * Merge the `src` event pattern into the `dest` event pattern by adding all
@@ -20,6 +21,8 @@ export function mergeEventPattern(dest: any, src: any) {
     }
 
     for (const field of Object.keys(srcObj)) {
+      assertNoProtoRec(field);
+
       const srcValue = srcObj[field];
       const destValue = destObj[field];
 
@@ -64,7 +67,7 @@ export function renderEventPattern(eventPattern: EventPattern): any {
   }
 
   // rename 'detailType' to 'detail-type'
-  const out: any = {};
+  const out: any = Object.create(null); // Prevent prototype pollution
   for (let key of Object.keys(eventPattern)) {
     const value = (eventPattern as any)[key];
     if (key === 'detailType') {
diff --git a/packages/aws-cdk-lib/aws-iam/lib/policy-statement.ts b/packages/aws-cdk-lib/aws-iam/lib/policy-statement.ts
@@ -77,11 +77,11 @@ export class PolicyStatement {
 
   private readonly _action = new OrderedSet<string>();
   private readonly _notAction = new OrderedSet<string>();
-  private readonly _principal: { [key: string]: any[] } = {};
-  private readonly _notPrincipal: { [key: string]: any[] } = {};
+  private readonly _principal: { [key: string]: any[] } = Object.create(null);
+  private readonly _notPrincipal: { [key: string]: any[] } = Object.create(null);
   private readonly _resource = new OrderedSet<string>();
   private readonly _notResource = new OrderedSet<string>();
-  private readonly _condition: { [key: string]: any } = { };
+  private readonly _condition: { [key: string]: any } = Object.create(null); // Prevent prototype pollution
   private _sid?: string;
   private _effect: Effect;
   private principalConditionsJson?: string;
diff --git a/packages/aws-cdk-lib/aws-iam/lib/principals.ts b/packages/aws-cdk-lib/aws-iam/lib/principals.ts
@@ -265,7 +265,7 @@ export class PrincipalWithConditions extends PrincipalAdapter {
 
   constructor(principal: IPrincipal, conditions: Conditions) {
     super(principal);
-    this.additionalConditions = conditions;
+    this.additionalConditions = Object.assign(Object.create(null), conditions); // Prevent prototype pollution
   }
 
   public addToAssumeRolePolicy(doc: PolicyDocument) {
diff --git a/packages/aws-cdk-lib/aws-iam/lib/private/postprocess-policy-document.ts b/packages/aws-cdk-lib/aws-iam/lib/private/postprocess-policy-document.ts
@@ -127,7 +127,7 @@ export function normalizeStatement(s: StatementSchema) {
       return principal[LITERAL_STRING_KEY][0];
     }
 
-    const result: any = {};
+    const result: any = Object.create(null); // Prevent prototype pollution
     for (const key of keys) {
       const normVal = _norm(principal[key]);
       if (normVal) {
diff --git a/packages/aws-cdk-lib/aws-iam/lib/private/util.ts b/packages/aws-cdk-lib/aws-iam/lib/private/util.ts
@@ -1,6 +1,7 @@
 import type { IConstruct } from 'constructs';
 import type { IPostProcessor, IResolvable, IResolveContext } from '../../../core';
 import { captureStackTrace, DefaultTokenResolver, Lazy, StringConcat, Token, Tokenization, UnscopedValidationError, ValidationError } from '../../../core';
+import { assertNoProto } from '../../../core/lib/private/prototype-pollution';
 import type { IPolicy } from '../policy';
 
 export const MAX_POLICY_NAME_LEN = 128;
@@ -84,6 +85,7 @@ export function mergePrincipal(target: { [key: string]: string[] }, source: { [k
   }
 
   for (const key of sourceKeys) {
+    assertNoProto(key);
     target[key] = target[key] ?? [];
 
     let value = source[key];
diff --git a/packages/aws-cdk-lib/aws-iam/lib/util.ts b/packages/aws-cdk-lib/aws-iam/lib/util.ts
@@ -1,7 +1,7 @@
 import type { IConstruct } from 'constructs';
 import type { IPolicy } from './policy';
 import type { IPostProcessor, IResolvable, IResolveContext } from '../../core';
-import { captureStackTrace, DefaultTokenResolver, Lazy, StringConcat, Token, Tokenization, UnscopedValidationError, ValidationError } from '../../core';
+import { captureStackTrace, DefaultTokenResolver, Lazy, StringConcat, Token, Tokenization, ValidationError } from '../../core';
 
 const MAX_POLICY_NAME_LEN = 128;
 
@@ -68,35 +68,6 @@ export class AttachedPolicies {
   }
 }
 
-/**
- * Merge two dictionaries that represent IAM principals
- *
- * Does an in-place merge.
- */
-export function mergePrincipal(target: { [key: string]: string[] }, source: { [key: string]: string[] }) {
-  // If one represents a literal string, the other one must be empty
-  const sourceKeys = Object.keys(source);
-  const targetKeys = Object.keys(target);
-
-  if ((LITERAL_STRING_KEY in source && targetKeys.some(k => k !== LITERAL_STRING_KEY)) ||
-    (LITERAL_STRING_KEY in target && sourceKeys.some(k => k !== LITERAL_STRING_KEY))) {
-    throw new UnscopedValidationError('CannotMustBeCannotMerge', `Cannot merge principals ${JSON.stringify(target)} and ${JSON.stringify(source)}; if one uses a literal principal string the other one must be empty`);
-  }
-
-  for (const key of sourceKeys) {
-    target[key] = target[key] ?? [];
-
-    let value = source[key];
-    if (!Array.isArray(value)) {
-      value = [value];
-    }
-
-    target[key].push(...value);
-  }
-
-  return target;
-}
-
 /**
  * Lazy string set token that dedupes entries
  *
diff --git a/packages/aws-cdk-lib/aws-lambda/lib/function.ts b/packages/aws-cdk-lib/aws-lambda/lib/function.ts
@@ -970,7 +970,7 @@ export class Function extends FunctionBase {
   /**
    * Environment variables for this function
    */
-  private environment: { [key: string]: EnvironmentConfig } = {};
+  private environment: { [key: string]: EnvironmentConfig } = Object.create(null); // Prevent prototype pollution
 
   private readonly currentVersionOptions?: VersionOptions;
   private _currentVersion?: Version;
diff --git a/packages/aws-cdk-lib/aws-rds/lib/parameter-group.ts b/packages/aws-cdk-lib/aws-rds/lib/parameter-group.ts
@@ -201,7 +201,7 @@ export class ParameterGroup extends Resource implements IParameterGroup {
     this.family = family;
     this.description = props.description;
     this.name = props.name;
-    this.parameters = props.parameters ?? {};
+    this.parameters = Object.assign(Object.create(null), props.parameters); // Prevent prototype pollution
     this.removalPolicy = props.removalPolicy;
   }
 
diff --git a/packages/aws-cdk-lib/aws-stepfunctions/lib/private/json-path.ts b/packages/aws-cdk-lib/aws-stepfunctions/lib/private/json-path.ts
@@ -142,7 +142,7 @@ export function recurseObject(obj: object | undefined, handlers: FieldHandlers,
   // Marking current object as visited for the current recursion path
   visited.push(obj);
 
-  const ret: any = {};
+  const ret: any = Object.create(null); // Prevent prototype pollution
   for (const [key, value] of Object.entries(obj)) {
     if (typeof value === 'string') {
       Object.assign(ret, handlers.handleString(key, value));
diff --git a/packages/aws-cdk-lib/core/lib/asset-staging.ts b/packages/aws-cdk-lib/core/lib/asset-staging.ts
@@ -10,6 +10,7 @@ import { AssumptionError, ValidationError } from './errors';
 import type { FingerprintOptions } from './fs';
 import { FileSystem } from './fs';
 import { clearLargeFileFingerprintCache } from './fs/fingerprint';
+import { assertNoProtoRec } from './helpers-internal';
 import { Names } from './names';
 import { AssetBundlingVolumeCopy, AssetBundlingBindMount } from './private/asset-staging';
 import { Cache } from './private/cache';
@@ -587,6 +588,7 @@ function sortObject(object: { [key: string]: any }): { [key: string]: any } {
   }
   const ret: { [key: string]: any } = {};
   for (const key of Object.keys(object).sort()) {
+    assertNoProtoRec(key);
     ret[key] = sortObject(object[key]);
   }
   return ret;
diff --git a/packages/aws-cdk-lib/core/lib/cfn-resource.ts b/packages/aws-cdk-lib/core/lib/cfn-resource.ts
@@ -75,7 +75,7 @@ export class CfnResource extends CfnRefElement {
   /**
    * An object to be merged on top of the entire resource definition.
    */
-  private readonly rawOverrides: any = {};
+  private readonly rawOverrides: any = Object.create(null); // Prevent prototype pollution
 
   /**
    * Logical IDs of dependencies.
@@ -257,7 +257,7 @@ export class CfnResource extends CfnRefElement {
       // object overwrite it with an object.
       const isObject = curr[key] != null && typeof(curr[key]) === 'object' && !Array.isArray(curr[key]);
       if (!isObject) {
-        curr[key] = {};
+        curr[key] = Object.create(null); // Prevent prototype pollution
       }
 
       curr = curr[key];
diff --git a/packages/aws-cdk-lib/core/lib/helpers-internal/cfn-parse.ts b/packages/aws-cdk-lib/core/lib/helpers-internal/cfn-parse.ts
diff --git a/packages/aws-cdk-lib/core/lib/helpers-internal/index.ts b/packages/aws-cdk-lib/core/lib/helpers-internal/index.ts
diff --git a/packages/aws-cdk-lib/core/lib/nested-stack.ts b/packages/aws-cdk-lib/core/lib/nested-stack.ts
diff --git a/packages/aws-cdk-lib/core/lib/private/prototype-pollution.ts b/packages/aws-cdk-lib/core/lib/private/prototype-pollution.ts
diff --git a/packages/aws-cdk-lib/core/lib/private/resolve.ts b/packages/aws-cdk-lib/core/lib/private/resolve.ts
diff --git a/packages/aws-cdk-lib/core/lib/runtime.ts b/packages/aws-cdk-lib/core/lib/runtime.ts
diff --git a/packages/aws-cdk-lib/core/lib/stack.ts b/packages/aws-cdk-lib/core/lib/stack.ts
diff --git a/packages/aws-cdk-lib/core/lib/tree.ts b/packages/aws-cdk-lib/core/lib/tree.ts
diff --git a/packages/aws-cdk-lib/core/lib/util.ts b/packages/aws-cdk-lib/core/lib/util.ts
diff --git a/packages/aws-cdk-lib/pipelines/lib/private/javascript.ts b/packages/aws-cdk-lib/pipelines/lib/private/javascript.ts
diff --git a/packages/aws-cdk-lib/region-info/lib/fact.ts b/packages/aws-cdk-lib/region-info/lib/fact.ts

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,9 @@ export function decodeSpecialValues(object: object, physicalResourceId: string):`
`25`	`25`	`}`
`26`	`26`	`if (x && typeof x === 'object') {`
`27`	`27`	`for (const [key, value] of Object.entries(x)) {`
	`28`	`+ if (['__proto__', 'prototype', 'constructor'].includes(key)) {`
	`29`	+ throw new Error(`Unsafe key: ${key}`);
	`30`	`+ }`
`28`	`31`	`x[key] = recurse(value);`
`29`	`32`	`}`
`30`	`33`	`return x;`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+import { assertNoProtoRec } from 'aws-cdk-lib/core/lib/helpers-internal';`
	`2`	`+`
`1`	`3`	`/**`
`2`	`4`	`* Recurse into the given object, trying to parse any string as JSON`
`3`	`5`	`*/`
`@@ -12,6 +14,7 @@ export function deepParseJson(x: unknown): unknown {`
`12`	`14`	`}`
`13`	`15`	`if (x && typeof x === 'object') {`
`14`	`16`	`for (const [key, value] of Object.entries(x)) {`
	`17`	`+ assertNoProtoRec(key);`
`15`	`18`	`(x as any)[key] = deepParseJson(value);`
`16`	`19`	`}`
`17`	`20`