fix Prototype Pollution in mergeDeep, toJS, etc.

jdeniau · jdeniau · commit 6734b7b2af7e · 2026-03-03T07:53:24.000Z
diff --git a/__tests__/Map.ts b/__tests__/Map.ts
@@ -590,4 +590,13 @@ describe('Map', () => {
       ])
     );
   });
+
+  it('toJS / toObject are not sensible to prototype pollution', () => {
+    type User = { user: string; admin?: boolean };
+
+    // @ts-expect-error -- intentionally setting __proto__ to test prototype pollution
+    const m = Map<User>({ user: 'alice' }).set('__proto__', { admin: true });
+    expect(m.toObject().admin).toBeUndefined();
+    expect(m.toJS().admin).toBeUndefined();
+  });
 });
diff --git a/__tests__/merge.ts b/__tests__/merge.ts
@@ -349,4 +349,33 @@ describe('merge', () => {
     // merging with an empty record should return the same empty record instance
     expect(merge(myEmptyRecord, { a: 4 })).toBe(myEmptyRecord);
   });
+
+  it('is not sensible to prototype pollution', () => {
+    type User = { user: string; admin?: boolean };
+
+    // Simulates: app merges HTTP request body (JSON) into user profile
+    const userProfile: User = { user: 'Alice' };
+    const requestBody = JSON.parse('{"user":"Eve","__proto__":{"admin":true}}');
+
+    const r1 = mergeDeep(userProfile, requestBody);
+
+    expect(r1.user).toBe('Eve'); // Eve   (updated correctly)
+    expect(r1.admin).toBeUndefined();
+
+    const r2 = mergeDeepWith((a, b) => b, userProfile, requestBody);
+    expect(r2.admin).toBeUndefined();
+
+    const r3 = merge(userProfile, requestBody);
+    expect(r3.admin).toBeUndefined();
+
+    const nested = JSON.parse('{"profile":{"__proto__":{"admin":true}}}');
+    const r6 = mergeDeep<{ profile: { bio: string; admin?: boolean } }>(
+      { profile: { bio: 'Hello' } },
+      nested
+    );
+
+    expect(r6.profile.admin).toBeUndefined();
+
+    expect({}.admin).toBeUndefined(); // Confirm NOT global too
+  });
 });
diff --git a/src/functional/merge.js b/src/functional/merge.js
@@ -5,6 +5,7 @@ import { isIndexed } from '../predicates/isIndexed';
 import { isKeyed } from '../predicates/isKeyed';
 import hasOwnProperty from '../utils/hasOwnProperty';
 import isDataStructure from '../utils/isDataStructure';
+import { isProtoKey } from '../utils/protoInjection';
 import shallowCopy from '../utils/shallowCopy';
 
 export function merge(collection, ...sources) {
@@ -52,6 +53,10 @@ export function mergeWithSources(collection, sources, merger) {
         merged.push(value);
       }
     : (value, key) => {
+        if (isProtoKey(key)) {
+          return;
+        }
+
         const hasVal = hasOwnProperty.call(merged, key);
         const nextVal =
           hasVal && merger ? merger(merged[key], value, key) : value;
diff --git a/src/methods/toObject.js b/src/methods/toObject.js
@@ -1,9 +1,14 @@
 import assertNotInfinite from '../utils/assertNotInfinite';
+import { isProtoKey } from '../utils/protoInjection';
 
 export function toObject() {
   assertNotInfinite(this.size);
   const object = {};
   this.__iterate((v, k) => {
+    if (isProtoKey(k)) {
+      return;
+    }
+
     object[k] = v;
   });
   return object;
diff --git a/src/toJS.ts b/src/toJS.ts
@@ -4,6 +4,7 @@ import { Seq } from './Seq';
 import { isCollection } from './predicates/isCollection';
 import { isKeyed } from './predicates/isKeyed';
 import isDataStructure from './utils/isDataStructure';
+import { isProtoKey } from './utils/protoInjection';
 
 export function toJS(
   value: Collection | Record
@@ -26,6 +27,10 @@ export function toJS(
     const result: { [key: string]: unknown } = {};
     // @ts-expect-error `__iterate` exists on all Keyed collections but method is not defined in the type
     value.__iterate((v, k) => {
+      if (isProtoKey(k)) {
+        return;
+      }
+
       result[k] = toJS(v);
     });
     return result;
diff --git a/src/utils/protoInjection.ts b/src/utils/protoInjection.ts
@@ -0,0 +1,3 @@
+export function isProtoKey(key: string): boolean {
+  return key === '__proto__' || key === 'constructor';
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+export function isProtoKey(key: string): boolean {`
	`2`	`+ return key === '__proto__' \|\| key === 'constructor';`
	`3`	`+}`