Merge commit from fork

dinwwwh · web-flow · commit 1dba06fc6f93 · 2026-03-02T08:53:04.000+07:00
diff --git a/packages/client/src/adapters/standard/rpc-json-serializer.test.ts b/packages/client/src/adapters/standard/rpc-json-serializer.test.ts
@@ -157,4 +157,32 @@ describe('standardRPCJsonSerializer: custom serializers', () => {
       })
     }).toThrow('Custom serializer type must be unique.')
   })
+
+  it.each(['nonExist', '__proto__', 'constructor'])('should throw when accessing non-existent path during deserialization: %s', (segment) => {
+    const serializer = new StandardRPCJsonSerializer()
+
+    expect(
+      () => serializer.deserialize({ a: 1 }, [[1, segment]]),
+    ).toThrow(`Security error: accessing non-existent path during deserialization. Path segment: ${segment}`)
+
+    expect(
+      () => serializer.deserialize({ a: 1 }, [[1, 'a', segment]]),
+    ).toThrow(`Security error: accessing non-existent path during deserialization. Path segment: ${segment}`)
+
+    expect(
+      () => serializer.deserialize({ a: 1 }, [[1, segment, 'role']]),
+    ).toThrow(`Security error: accessing non-existent path during deserialization. Path segment: ${segment}`)
+
+    expect(
+      () => serializer.deserialize({ a: 1 }, [], [[segment]], () => new Blob([])),
+    ).toThrow(`Security error: accessing non-existent path during deserialization. Path segment: ${segment}`)
+
+    expect(
+      () => serializer.deserialize({ a: 1 }, [], [['a', segment]], () => new Blob([])),
+    ).toThrow(`Security error: accessing non-existent path during deserialization. Path segment: ${segment}`)
+
+    expect(
+      () => serializer.deserialize({ a: 1 }, [], [[segment, 'role']], () => new Blob([])),
+    ).toThrow(`Security error: accessing non-existent path during deserialization. Path segment: ${segment}`)
+  })
 })
diff --git a/packages/client/src/adapters/standard/rpc-json-serializer.ts b/packages/client/src/adapters/standard/rpc-json-serializer.ts
@@ -145,6 +145,10 @@ export class StandardRPCJsonSerializer {
         segments.forEach((segment) => {
           currentRef = currentRef[preSegment]
           preSegment = segment
+
+          if (!Object.hasOwn(currentRef, preSegment)) {
+            throw new Error(`Security error: accessing non-existent path during deserialization. Path segment: ${preSegment}`)
+          }
         })
 
         currentRef[preSegment] = getBlob(i)
@@ -160,6 +164,10 @@ export class StandardRPCJsonSerializer {
       for (let i = 1; i < item.length; i++) {
         currentRef = currentRef[preSegment]
         preSegment = item[i]!
+
+        if (!Object.hasOwn(currentRef, preSegment)) {
+          throw new Error(`Security error: accessing non-existent path during deserialization. Path segment: ${preSegment}`)
+        }
       }
 
       for (const custom of this.customSerializers) {
