ambar / concat-merge / 20185952435 / 1

87%

main: 87%

push

github

fix: Fix possible prototype pollution vulerability on `concatMerge()` (#1)

* fix: prevent constructor pollution by enforcing own-property checks

This patch fixes a vulnerability where global built-in properties (like the Object constructor) could be modified during a merge operation.

The previous implementation accessed properties from the prototype chain (e.g., 'constructor' from Object.prototype) when iterating over keys present in the source object. This allowed an attacker to retrieve the global `Object` function and pass it as the target to the mutation sink (`Object.assign`).

The fix ensures that only an object's own properties are considered for merging by implementing a safe check: `Object.prototype.hasOwnProperty.call(a, key)` before accessing `a[key]`. This prevents global built-in functions from being exposed and subsequently polluted.

Security-Severity: High

* fix: Exclude special properties from object merge

Skip merging special object properties like '__proto__', 'constructor', and 'prototype'.

* Simplify property access for object 'a'

14 of 20 branches covered (70.0%)

Branch coverage included in aggregate %.

41 of 47 relevant lines covered (87.23%)

17.83 hits per line