fix: backport DOS via __proto__ key in merge config fix to v0.x (#7388)

FeBe95 · web-flow · commit d7ff1409c681 · 2026-02-11T08:19:32.000+02:00
* backport fix

* add unit tests

* use `require()` instead of `import`
diff --git a/lib/core/mergeConfig.js b/lib/core/mergeConfig.js
@@ -94,7 +94,10 @@ module.exports = function mergeConfig(config1, config2) {
   };
 
   utils.forEach(Object.keys(config1).concat(Object.keys(config2)), function computeConfigValue(prop) {
-    var merge = mergeMap[prop] || mergeDeepProperties;
+    if (prop === '__proto__' || prop === 'constructor' || prop === 'prototype') {
+      return;
+    }
+    var merge = utils.hasOwnProperty(mergeMap, prop) ? mergeMap[prop] : mergeDeepProperties;
     var configValue = merge(prop);
     (utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);
   });
diff --git a/lib/utils.js b/lib/utils.js
@@ -310,6 +310,10 @@ function forEach(obj, fn) {
 function merge(/* obj1, obj2, obj3, ... */) {
   var result = {};
   function assignValue(val, key) {
+    if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
+      return;
+    }
+
     if (isPlainObject(result[key]) && isPlainObject(val)) {
       result[key] = merge(result[key], val);
     } else if (isPlainObject(val)) {
diff --git a/test/unit/core/prototypePollution.js b/test/unit/core/prototypePollution.js
@@ -0,0 +1,226 @@
+"use strict";
+
+var assert = require('assert');
+var utils = require('../../../lib/utils');
+var mergeConfig = require('../../../lib/core/mergeConfig');
+
+describe("Prototype Pollution Protection", function () {
+  afterEach(function () {
+    // Clean up any pollution that might have occurred
+    delete Object.prototype.polluted;
+  });
+
+  describe("utils.merge", function () {
+    it("should filter __proto__ key at top level", function () {
+      const result = utils.merge(
+        {},
+        { __proto__: { polluted: "yes" }, safe: "value" },
+      );
+
+      assert.strictEqual(Object.prototype.polluted, undefined);
+      assert.strictEqual(result.safe, "value");
+      assert.strictEqual(result.hasOwnProperty("__proto__"), false);
+    });
+
+    it("should filter constructor key at top level", function () {
+      const result = utils.merge(
+        {},
+        { constructor: { polluted: "yes" }, safe: "value" },
+      );
+
+      assert.strictEqual(result.safe, "value");
+      assert.strictEqual(result.hasOwnProperty("constructor"), false);
+    });
+
+    it("should filter prototype key at top level", function () {
+      const result = utils.merge(
+        {},
+        { prototype: { polluted: "yes" }, safe: "value" },
+      );
+
+      assert.strictEqual(result.safe, "value");
+      assert.strictEqual(result.hasOwnProperty("prototype"), false);
+    });
+
+    it("should filter __proto__ key in nested objects", function () {
+      const result = utils.merge(
+        {},
+        {
+          headers: {
+            __proto__: { polluted: "nested" },
+            "Content-Type": "application/json",
+          },
+        },
+      );
+
+      assert.strictEqual(Object.prototype.polluted, undefined);
+      assert.strictEqual(result.headers["Content-Type"], "application/json");
+      assert.strictEqual(result.headers.hasOwnProperty("__proto__"), false);
+    });
+
+    it("should filter constructor key in nested objects", function () {
+      const result = utils.merge(
+        {},
+        {
+          headers: {
+            constructor: { prototype: { polluted: "nested" } },
+            "Content-Type": "application/json",
+          },
+        },
+      );
+
+      assert.strictEqual(Object.prototype.polluted, undefined);
+      assert.strictEqual(result.headers["Content-Type"], "application/json");
+      assert.strictEqual(result.headers.hasOwnProperty("constructor"), false);
+    });
+
+    it("should filter prototype key in nested objects", function () {
+      const result = utils.merge(
+        {},
+        {
+          headers: {
+            prototype: { polluted: "nested" },
+            "Content-Type": "application/json",
+          },
+        },
+      );
+
+      assert.strictEqual(result.headers["Content-Type"], "application/json");
+      assert.strictEqual(result.headers.hasOwnProperty("prototype"), false);
+    });
+
+    it("should filter dangerous keys in deeply nested objects", function () {
+      const result = utils.merge(
+        {},
+        {
+          level1: {
+            level2: {
+              __proto__: { polluted: "deep" },
+              prototype: { polluted: "deep" },
+              safe: "value",
+            },
+          },
+        },
+      );
+
+      assert.strictEqual(Object.prototype.polluted, undefined);
+      assert.strictEqual(result.level1.level2.safe, "value");
+      assert.strictEqual(
+        result.level1.level2.hasOwnProperty("__proto__"),
+        false,
+      );
+    });
+
+    it("should still merge regular properties correctly", function () {
+      const result = utils.merge({ a: 1, b: { c: 2 } }, { b: { d: 3 }, e: 4 });
+
+      assert.strictEqual(result.a, 1);
+      assert.strictEqual(result.b.c, 2);
+      assert.strictEqual(result.b.d, 3);
+      assert.strictEqual(result.e, 4);
+    });
+
+    it("should handle JSON.parse payloads safely", function () {
+      const malicious = JSON.parse('{"__proto__": {"polluted": "yes"}}');
+      const result = utils.merge({}, malicious);
+
+      assert.strictEqual(Object.prototype.polluted, undefined);
+      assert.strictEqual(result.hasOwnProperty("__proto__"), false);
+    });
+
+    it("should handle nested JSON.parse payloads safely", function () {
+      const malicious = JSON.parse(
+        '{"headers": {"constructor": {"prototype": {"polluted": "yes"}}}}',
+      );
+      const result = utils.merge({}, malicious);
+
+      assert.strictEqual(Object.prototype.polluted, undefined);
+      assert.strictEqual(result.headers.hasOwnProperty("constructor"), false);
+    });
+  });
+
+  describe("mergeConfig", function () {
+    it("should filter dangerous keys at top level", function () {
+      const result = mergeConfig(
+        {},
+        {
+          __proto__: { polluted: "yes" },
+          constructor: { polluted: "yes" },
+          prototype: { polluted: "yes" },
+          url: "/api/test",
+        },
+      );
+
+      assert.strictEqual(Object.prototype.polluted, undefined);
+      assert.strictEqual(result.url, "/api/test");
+      assert.strictEqual(result.hasOwnProperty("__proto__"), false);
+      assert.strictEqual(result.hasOwnProperty("constructor"), false);
+      assert.strictEqual(result.hasOwnProperty("prototype"), false);
+    });
+
+    it("should filter dangerous keys in headers", function () {
+      const result = mergeConfig(
+        {},
+        {
+          headers: {
+            __proto__: { polluted: "yes" },
+            "Content-Type": "application/json",
+          },
+        },
+      );
+
+      assert.strictEqual(Object.prototype.polluted, undefined);
+      assert.strictEqual(result.headers["Content-Type"], "application/json");
+      assert.strictEqual(result.headers.hasOwnProperty("__proto__"), false);
+    });
+
+    it("should filter dangerous keys in custom config properties", function () {
+      const result = mergeConfig(
+        {},
+        {
+          customProp: {
+            __proto__: { polluted: "yes" },
+            safe: "value",
+          },
+        },
+      );
+
+      assert.strictEqual(Object.prototype.polluted, undefined);
+      assert.strictEqual(result.customProp.safe, "value");
+      assert.strictEqual(result.customProp.hasOwnProperty("__proto__"), false);
+    });
+
+    it("should still merge configs correctly", function () {
+      const config1 = {
+        baseURL: "https://api.example.com",
+        timeout: 1000,
+        headers: {
+          common: {
+            Accept: "application/json",
+          },
+        },
+      };
+
+      const config2 = {
+        url: "/users",
+        timeout: 5000,
+        headers: {
+          common: {
+            "Content-Type": "application/json",
+          },
+        },
+      };
+
+      const result = mergeConfig(config1, config2);
+
+      assert.strictEqual(result.baseURL, "https://api.example.com");
+      assert.strictEqual(result.url, "/users");
+      assert.strictEqual(result.timeout, 5000);
+      assert.strictEqual(result.headers.common.Accept, "application/json");
+      assert.strictEqual(
+        result.headers.common["Content-Type"],
+        "application/json",
+      );
+    });
+  });
+});
