Fix validate_object crashing when object prototype keys used in style's objects (#1028)

cxcorp · HarelM · web-flow · commit 91175b30b548 · 2025-03-04T23:40:09.000+02:00
* Fix validation crashing for specific key names in objects

Fixes an unhandled error occurring when validated objects (e.g. sources)
had keys that were found in Object.prototype. This caused certain
truthyness checks to incorrectly pass, as e.g. object["__proto__"]
always returns a truthy value (unless object has a null prototype or
otherwise non-Object prototype).

This commit fixes the problem by checking that the value is indeed set
on the object via Object.hasOwn(), or
Object.prototype.hasOwnProperty.call() if hasOwn is not available.

* Update CHANGELOG

* Update CHANGELOG.md

* Add unit tests for has_own.ts

* Make hasOwn check for truthiness for reusability, add getOwn util

hasOwn can now be used to replace patterns like:

```
if (hasOwnProperty(obj, key) &amp;&amp; obj[key]) {}
```

with

```
if (hasOwn(obj, key)) {}
```

whereas getOwn can be used to replace patterns like

```
const value = (hasOwnProperty(obj, key) &amp;&amp; obj[key]) || fallback
```

with

```
const value = getOwn(obj, key) || fallback
```

* Remove hasOwn utility in favor of just using getOwn

---------

Co-authored-by: Harel M &lt;harel.mazor@gmail.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 
 ### 🐞 Bug fixes
 - Fix RuntimeError class, make it inherited from Error ([#983](https://github.com/maplibre/maplibre-style-spec/issues/983))
+- Fix `validate_object` crashing when object prototype keys used in style's objects ([#1028](https://github.com/maplibre/maplibre-style-spec/pull/1028))
 - Validate that `layers` array items are objects instead of throwing an error if not ([!1026](https://github.com/maplibre/maplibre-style-spec/pull/1026))
 
 ## 23.1.0
diff --git a/src/util/get_own.test.ts b/src/util/get_own.test.ts
@@ -0,0 +1,66 @@
+describe('get_own', () => {
+    describe.each([
+        [
+            'when Object.hasOwn is available',
+            function beforeAllFn() {
+                // clear require cache before running tests as the implementation of
+                // hasOwn depends on whether Object.hasOwn is available
+                jest.resetModules();
+                expect(Object.hasOwn).toBeInstanceOf(Function);
+            },
+        ],
+        [
+            'when Object.hasOwn is not available',
+            function beforeAllFn() {
+                jest.resetModules();
+                delete Object.hasOwn;
+                expect(Object.hasOwn).toBeUndefined();
+            },
+        ],
+    ])('unit tests %s', (_, beforeAllFn) => {
+        let getOwn: typeof import('./get_own').getOwn;
+
+        beforeAll(async () => {
+            beforeAllFn();
+
+            const res = await import('./get_own');
+            getOwn = res.getOwn;
+        });
+
+        afterEach(() => {
+            jest.resetModules();
+        });
+
+        test('returns value for own properties', () => {
+            const obj = {key: 'value'};
+            expect(getOwn(obj, 'key')).toBe('value');
+        });
+
+        test('returns value for falsy own properties', () => {
+            const obj = {key: false, key2: 0, key3: '', key4: undefined, key5: null};
+            expect(getOwn(obj, 'key')).toBe(false);
+            expect(getOwn(obj, 'key2')).toBe(0);
+            expect(getOwn(obj, 'key3')).toBe('');
+            expect(getOwn(obj, 'key4')).toBeUndefined();
+            expect(getOwn(obj, 'key5')).toBeNull();
+        });
+
+        test('returns undefined for properties inherited from the prototype', () => {
+            const obj = {key: 'value'};
+            expect(getOwn(obj, '__proto__')).toBeUndefined();
+            expect(getOwn(obj, 'constructor')).toBeUndefined();
+            expect(getOwn(obj, 'valueOf')).toBeUndefined();
+
+            const inheritedKey = 'inheritedKey';
+            const prototype = {[inheritedKey]: 1234};
+            const objWithPrototype = Object.create(prototype);
+            expect(getOwn(objWithPrototype, inheritedKey)).toBeUndefined();
+        });
+
+        test('returns true for own properties that have the same name as a property in the prototype', () => {
+            const obj = JSON.parse('{"__proto__": 123, "valueOf": "123"}');
+            expect(getOwn(obj, '__proto__')).toBe(123);
+            expect(getOwn(obj, 'valueOf')).toBe('123');
+        });
+    });
+});
diff --git a/src/util/get_own.ts b/src/util/get_own.ts
@@ -0,0 +1,12 @@
+type HasOwnPropertyFn = <TObject extends object>(obj: TObject, key: PropertyKey) => key is keyof TObject;
+
+// polyfill for Object.hasOwn
+const hasOwnProperty: HasOwnPropertyFn =
+    (Object.hasOwn as HasOwnPropertyFn) ||
+    function hasOwnProperty<T extends object>(object: T, key: PropertyKey): key is keyof T {
+        return Object.prototype.hasOwnProperty.call(object, key);
+    };
+
+export function getOwn<T extends object>(object: T, key: PropertyKey): T[keyof T] | undefined {
+    return hasOwnProperty(object, key) ? object[key] : undefined;
+}
diff --git a/src/validate/validate_object.test.ts b/src/validate/validate_object.test.ts
@@ -0,0 +1,49 @@
+import {validate} from './validate';
+import {validateObject} from './validate_object';
+import v8 from '../reference/v8.json' with {type: 'json'};
+
+describe('Validate object', () => {
+    test('Should not throw an unexpected error if object prototype keys are used as keys', () => {
+        const errors = validateObject({
+            key: 'test',
+            value: {
+                __defineProperty__: 123,
+                hasOwnProperty: 123,
+                toLocaleString: 123,
+                valueOf: 123,
+            },
+            style: {},
+            styleSpec: v8,
+            validateSpec: validate,
+        });
+        expect(errors).toEqual([
+            {message: 'test: unknown property "__defineProperty__"'},
+            {message: 'test: unknown property "hasOwnProperty"'},
+            {message: 'test: unknown property "toLocaleString"'},
+            {message: 'test: unknown property "valueOf"'},
+        ]);
+    });
+
+    test('Should not throw an unexpected error if object prototype keys are used as dot separated keys', () => {
+        const errors = validateObject({
+            key: 'test',
+            value: {
+                '__proto__.__proto__': 123,
+                '__defineProperty__.__defineProperty__': 123,
+                'hasOwnProperty.hasOwnProperty': 123,
+                'toLocaleString.toLocaleString': 123,
+                'valueOf.valueOf': 123,
+            },
+            style: {},
+            styleSpec: v8,
+            validateSpec: validate,
+        });
+        expect(errors).toEqual([
+            {message: 'test: unknown property "__proto__.__proto__"'},
+            {message: 'test: unknown property "__defineProperty__.__defineProperty__"'},
+            {message: 'test: unknown property "hasOwnProperty.hasOwnProperty"'},
+            {message: 'test: unknown property "toLocaleString.toLocaleString"'},
+            {message: 'test: unknown property "valueOf.valueOf"'},
+        ]);
+    });
+});
diff --git a/src/validate/validate_object.ts b/src/validate/validate_object.ts
@@ -1,5 +1,6 @@
 
 import {ValidationError} from '../error/validation_error';
+import {getOwn} from '../util/get_own';
 import {getType} from '../util/get_type';
 
 export function validateObject(options): Array<ValidationError> {
@@ -19,12 +20,13 @@ export function validateObject(options): Array<ValidationError> {
 
     for (const objectKey in object) {
         const elementSpecKey = objectKey.split('.')[0]; // treat 'paint.*' as 'paint'
-        const elementSpec = elementSpecs[elementSpecKey] || elementSpecs['*'];
+        // objectKey comes from the user controlled style input, so elementSpecKey may be e.g. "__proto__"
+        const elementSpec = getOwn(elementSpecs, elementSpecKey) || elementSpecs['*'];
 
         let validateElement;
-        if (elementValidators[elementSpecKey]) {
+        if (getOwn(elementValidators, elementSpecKey)) {
             validateElement = elementValidators[elementSpecKey];
-        } else if (elementSpecs[elementSpecKey]) {
+        } else if (getOwn(elementSpecs, elementSpecKey)) {
             validateElement = validateSpec;
         } else if (elementValidators['*']) {
             validateElement = elementValidators['*'];
diff --git a/test/integration/style-spec/tests/sources.input.json b/test/integration/style-spec/tests/sources.input.json
@@ -49,6 +49,21 @@
         "zoom": ["+", ["zoom"]],
         "state": ["+", ["feature-state", "foo"]]
       }
+    },
+    "__proto__in-dot-separated-key-name-does-not-crash": {
+      "type": "raster",
+      "mazoom": 10,
+      "tileSize": 256,
+      "tiles": ["http://example.com/{x}/{y}/{z}.png"],
+      "__proto__.__proto__": 123
+    },
+    "key-names-with-object-prototype-methods-do-not-crash": {
+      "type": "raster",
+      "mazoom": 10,
+      "tileSize": 256,
+      "tiles": ["http://example.com/{x}/{y}/{z}.png"],
+      "valueOf": null,
+      "toLocaleString": 6
     }
   },
   "layers": []
