fix(util): prevent prototype pollution in deepMerge (#5144)

packages/util/src/deep-merge.ts

@@ -8,15 +8,17 @@ export type DeepPartial<T> = {
  * @param overrides
  */
 export function deepMerge<T>(defaults: T, overrides: DeepPartial<T>): void {
-  Object.keys(overrides).forEach((key) => {
-    const defaultValue = (defaults as any)[key];
-    const overrideValue = (overrides as any)[key];
-    if (overrideValue !== undefined) {
-      if (defaultValue === undefined || typeof defaultValue !== 'object' || typeof overrideValue !== 'object' || Array.isArray(defaultValue)) {
-        (defaults as any)[key] = overrideValue;
-      } else {
-        deepMerge(defaultValue, overrideValue as DeepPartial<T>);
+  Object.keys(overrides)
+    .filter((key) => key !== '__proto__')
+    .forEach((key) => {
+      const defaultValue = (defaults as any)[key];
+      const overrideValue = (overrides as any)[key];
+      if (overrideValue !== undefined) {
+        if (defaultValue === undefined || typeof defaultValue !== 'object' || typeof overrideValue !== 'object' || Array.isArray(defaultValue)) {
+          (defaults as any)[key] = overrideValue;
+        } else {
+          deepMerge(defaultValue, overrideValue as DeepPartial<T>);
+        }
       }
-    }
-  });
+    });
 }

packages/util/test/unit/deep-merge.spec.ts

@@ -60,4 +60,17 @@ describe(deepMerge.name, () => {
     const expected: Foo = { foo: '1' };
     expect(foo).deep.eq(expected);
   });
+
+  it('should prevent prototype pollution', () => {
+    // Arrange
+    const someObj = {};
+
+    // Act
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+    deepMerge(someObj, JSON.parse('{"__proto__":{"pollutedKey":123}}'));
+
+    // Assert
+    // @ts-expect-error This polluted key shouldn't be there, that's the point
+    expect({}.__proto__.pollutedKey).undefined;
+  });
 });