Skip to content

Potential fix for code scanning alert no. 37: Prototype-polluting function#46

Draft
Tanker187 wants to merge 1 commit intomainfrom
alert-autofix-37
Draft

Potential fix for code scanning alert no. 37: Prototype-polluting function#46
Tanker187 wants to merge 1 commit intomainfrom
alert-autofix-37

Conversation

@Tanker187
Copy link
Owner

Potential fix for https://github.com/Tanker187/vite/security/code-scanning/37

In general, to prevent prototype pollution in deep merge/clone helpers, avoid writing or recursing into special keys that can change object prototypes (__proto__, constructor, and prototype), or restrict recursive merging to existing own properties on the destination. This ensures that user-controlled data cannot modify Object.prototype or other prototypes via crafted keys.

For this code, the least invasive and most compatible fix is to introduce a small helper that detects unsafe keys and then skip such keys in both deepClone and mergeWithDefaultsRecursively. Concretely:

  • Define a function, e.g. isUnsafeKey(key: string): boolean, that returns true for __proto__, constructor, and prototype.
  • In deepClone, before processing each key from value, check if (isUnsafeKey(key)) continue; so these problematic properties are never cloned into new objects.
  • In mergeWithDefaultsRecursively, before reading values[key] or assigning to merged[key], add if (isUnsafeKey(key)) continue; to completely ignore such keys during merging.
  • Place the helper near these utilities in packages/vite/src/node/utils.ts. No new imports are needed.

This preserves existing functionality for all normal keys, while dropping only the dangerous ones from user-controlled input, which is standard practice for mitigating prototype pollution.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…ction

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Repository owner locked and limited conversation to collaborators Feb 11, 2026
@Tanker187 Tanker187 self-assigned this Feb 11, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant