fix: 修复原型污染安全漏洞 (CodeQL Alert #2)

李杰 · 李杰 · commit 2ad18e05e65e · 2026-01-30T20:39:56.000+08:00
- 使用 Object.defineProperty 替代直接属性赋值
- 在 setKeyIfEnglish 函数中增强原型污染防护
- 修复 GitHub Code Scanning 安全警告
diff --git a/scripts/update_locales.cjs b/scripts/update_locales.cjs
@@ -657,15 +657,25 @@ function updateFile(fileName) {
         const key = keys[i];
         if (!isSafeKey(key)) return false;
         if (!Object.prototype.hasOwnProperty.call(current, key) || !current[key]) {
-          current[key] = Object.create(null);
+          Object.defineProperty(current, key, {
+            value: Object.create(null),
+            writable: true,
+            enumerable: true,
+            configurable: true
+          });
         }
         current = current[key];
       }
       const lastKey = keys[keys.length - 1];
       if (!isSafeKey(lastKey)) return false;
-      const existing = current[lastKey];
+      const existing = Object.prototype.hasOwnProperty.call(current, lastKey) ? current[lastKey] : undefined;
       if (!Object.prototype.hasOwnProperty.call(current, lastKey) || existing === englishValue) {
-        current[lastKey] = value;
+        Object.defineProperty(current, lastKey, {
+          value: value,
+          writable: true,
+          enumerable: true,
+          configurable: true
+        });
         return true;
       }
       return false;
