From fbcd7834b9e28d8e30c71ef0c069322611ee67e8 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Wed, 22 Apr 2026 17:18:02 -0700 Subject: [PATCH] fix(core): prototype pollution vector via query-parameter con Configuration keys from `document.location.search` are converted directly into object properties and merged with `Object.assign(config, overrideProps)` without blocking special keys like `__proto__`, `constructor`, or `prototype`. An attacker-controlled URL can inject these keys and alter object prototypes or behavior of downstream config consumers. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- src/core/override-configuration.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/core/override-configuration.js b/src/core/override-configuration.js index efe3c8d25c..41075dff14 100644 --- a/src/core/override-configuration.js +++ b/src/core/override-configuration.js @@ -14,6 +14,7 @@ export const name = "core/override-configuration"; */ export function run(config) { const params = new URLSearchParams(document.location.search); + const dangerousKeys = new Set(["__proto__", "prototype", "constructor"]); const overrideEntries = Array.from(params) .filter(([key, value]) => !!key && !!value) .map(([codedKey, codedValue]) => { @@ -26,7 +27,8 @@ export function run(config) { value = decodedValue; } return [key, value]; - }); + }) + .filter(([key]) => !dangerousKeys.has(key)); const overrideProps = Object.fromEntries(overrideEntries); Object.assign(config, overrideProps); pub("amend-user-config", overrideProps);