Prototype Pollution Guards on Value

Author: sinclairzx81

src/guard/guard.ts

@@ -189,10 +189,13 @@ export function TakeLeft<T, True extends (left: T, right: T[]) => unknown, False
 // --------------------------------------------------------------------------
 // Object
 // --------------------------------------------------------------------------
+/** Returns true if the PropertyKey appears unsafe (prototype-pollution). */
+export function IsUnsafePropertyKey(key: PropertyKey): boolean {
+  return IsEqual(key, '__proto__') || IsEqual(key, 'constructor') || IsEqual(key, 'prototype')
+}
 /** Returns true if this value has this property key */
 export function HasPropertyKey<Key extends PropertyKey>(value: object, key: Key): value is { [_ in Key]: unknown } {
-  const isProtoField = IsEqual(key, '__proto__') || IsEqual(key, 'constructor')
-  return isProtoField ? Object.prototype.hasOwnProperty.call(value, key) : key in value
+  return IsUnsafePropertyKey(key) ? Object.prototype.hasOwnProperty.call(value, key) : key in value
 }
 /** Returns object entries as `[RegExp, Value][]` */
 export function EntriesRegExp<Value extends unknown = unknown>(value: Record<PropertyKey, Value>): [RegExp, Value][] {
@@ -202,7 +205,7 @@ export function EntriesRegExp<Value extends unknown = unknown>(value: Record<Pro
 export function Entries<Value extends unknown = unknown>(value: Record<PropertyKey, Value>): [string, Value][] {
   return Object.entries(value)
 }
-/** Returns the property keys for this object via `Object.getOwnPropertyKeys({ ... })` */
+/** Returns property keys for this object via `Object.getOwnPropertyKeys({ ... })` */
 export function Keys(value: Record<PropertyKey, unknown>): string[] {
   return Object.getOwnPropertyNames(value)
 }

src/schema/pointer/pointer.ts

@@ -33,11 +33,14 @@ import { Guard } from '../../guard/index.ts'
 // ------------------------------------------------------------------
 // Asserts
 // ------------------------------------------------------------------
-function AssertNotRoot(indices: string[]) {
-  if(indices.length === 0) throw Error('Cannot set root')
+function AssertNotRoot(indices: string[]): void {
+  if (indices.length === 0) throw Error('Cannot set root')
 }
 function AssertCanSet(value: unknown): asserts value is Record<string, unknown> {
-  if(!Guard.IsObject(value)) throw Error('Cannot set value')
+  if (!Guard.IsObject(value)) throw Error('Cannot set value')
+}
+function AssertIndex(index: string): void {
+  if (Guard.IsUnsafePropertyKey(index)) throw Error('Pointer contains unsafe property key')
 }
 // ------------------------------------------------------------------
 // Indices
@@ -55,7 +58,7 @@ function HasIndex(index: string, value: unknown): value is Record<string, unknow
   return Guard.IsObject(value) && Guard.HasPropertyKey(value, index)
 }
 function GetIndex(index: string, value: unknown): unknown {
-  return Guard.IsObject(value) ? value[index] : undefined
+  return Guard.IsObject(value) && !Guard.IsUnsafePropertyKey(index) ? value[index] : undefined
 }
 function GetIndices(indices: string[], value: unknown): unknown {
   return indices.reduce((value, index) => GetIndex(index, value), value)
@@ -76,7 +79,7 @@ export function Indices(pointer: string): string[] {
 export function Has(value: unknown, pointer: string): unknown {
   let current = value
   return Indices(pointer).every(index => {
-    if(!HasIndex(index, current)) return false
+    if (!HasIndex(index, current)) return false
     current = current[index]
     return true
   })
@@ -97,6 +100,7 @@ export function Set(value: unknown, pointer: string, next: unknown): unknown {
   const indices = Indices(pointer)
   AssertNotRoot(indices)
   const [head, index] = TakeIndexRight(indices)
+  AssertIndex(index)
   const parent = GetIndices(head, value)
   AssertCanSet(parent)
   parent[index] = next
@@ -110,9 +114,10 @@ export function Delete(value: unknown, pointer: string): unknown {
   const indices = Indices(pointer)
   AssertNotRoot(indices)
   const [head, index] = TakeIndexRight(indices)
+  AssertIndex(index)
   const parent = GetIndices(head, value)
   AssertCanSet(parent)
-  if(Guard.IsArray(parent) && IsNumericIndex(index)) {
+  if (Guard.IsArray(parent) && IsNumericIndex(index)) {
     parent.splice(+index, 1)
   } else {
     delete parent[index]

src/value/clone/clone.ts

@@ -48,16 +48,15 @@ function FromClassInstance(value: Record<PropertyKey, unknown>): Record<Property
 // ------------------------------------------------------------------
 function FromObjectInstance(value: Record<PropertyKey, unknown>): Record<PropertyKey, unknown> {
   const result = {} as Record<PropertyKey, unknown>
-  for (const key of Object.getOwnPropertyNames(value)) {
+  for (const key of Guard.Keys(value)) {
+    if (Guard.IsUnsafePropertyKey(key)) continue
     result[key] = Clone(value[key])
   }
-  for (const key of Object.getOwnPropertySymbols(value)) {
+  for (const key of Guard.Symbols(value)) {
     result[key] = Clone(value[key])
   }
   return result
 }
-
-Object.create({})
 // ------------------------------------------------------------------
 // Object
 // ------------------------------------------------------------------

src/value/delta/diff.ts

@@ -66,13 +66,15 @@ function* FromObject(path: string, left: Record<PropertyKey, unknown>, right: un
   // ----------------------------------------------------------------
   for (const key of rightKeys) {
     if (Guard.HasPropertyKey(left, key)) continue
+    if (Guard.IsUnsafePropertyKey(key)) continue
     yield CreateInsert(`${path}/${key}`, right[key])
   }
   // ----------------------------------------------------------------
   // Update
   // ----------------------------------------------------------------
   for (const key of leftKeys) {
     if (!Guard.HasPropertyKey(right, key)) continue
+    if (Guard.IsUnsafePropertyKey(key)) continue
     if (Equal(left, right)) continue
     yield* FromValue(`${path}/${key}`, left[key], right[key])
   }
@@ -81,6 +83,7 @@ function* FromObject(path: string, left: Record<PropertyKey, unknown>, right: un
   // ----------------------------------------------------------------
   for (const key of leftKeys) {
     if (Guard.HasPropertyKey(right, key)) continue
+    if (Guard.IsUnsafePropertyKey(key)) continue
     yield CreateDelete(`${path}/${key}`)
   }
 }
@@ -107,10 +110,10 @@ function* FromArray(path: string, left: unknown[], right: unknown): IterableIter
 function* FromTypedArray(path: string, left: GlobalsGuard.TTypeArray, right: unknown): IterableIterator<TEdit> {
   const typeLeft = globalThis.Object.getPrototypeOf(left).constructor.name
   const typeRight = globalThis.Object.getPrototypeOf(right).constructor.name
-  const predicate = GlobalsGuard.IsTypeArray(right) 
+  const predicate = GlobalsGuard.IsTypeArray(right)
     && Guard.IsEqual(left.length, right.length)
     && Guard.IsEqual(typeLeft, typeRight)
-  if(predicate) {
+  if (predicate) {
     for (let index = 0; index < Math.min(left.length, right.length); index++) {
       yield* FromValue(`${path}/${index}`, left[index], right[index])
     }
@@ -131,9 +134,9 @@ function* FromUnknown(path: string, left: unknown, right: unknown): IterableIter
 function* FromValue(path: string, left: unknown, right: unknown): IterableIterator<TEdit> {
   return (
     GlobalsGuard.IsTypeArray(left) ? yield* FromTypedArray(path, left, right) :
-    Guard.IsArray(left) ? yield* FromArray(path, left, right) :
-    Guard.IsObject(left) ?  yield* FromObject(path, left, right) :
-    yield* FromUnknown(path, left, right)
+      Guard.IsArray(left) ? yield* FromArray(path, left, right) :
+        Guard.IsObject(left) ? yield* FromObject(path, left, right) :
+          yield* FromUnknown(path, left, right)
   )
 }
 // ------------------------------------------------------------------

src/value/mutate/from_object.ts

@@ -35,23 +35,35 @@ import { Clone } from '../clone/index.ts'
 import { type TMutable } from './mutate.ts'
 import { FromValue } from './from_value.ts'
 
+// ------------------------------------------------------------------
+// AssertKey
+// ------------------------------------------------------------------
+function AssertKey(key: string): void {
+  if(Guard.IsUnsafePropertyKey(key)) throw Error('Attempted to Mutate with unsafe property key')
+}
+// ------------------------------------------------------------------
+// AssertKey
+// ------------------------------------------------------------------
 export function FromObject(root: TMutable, path: string, current: unknown, next: Record<string, unknown>): void {
   if (!Guard.IsObjectNotArray(current)) {
     Pointer.Set(root, path, Clone(next))
   } else {
     const currentKeys = Guard.Keys(current)
     const nextKeys = Guard.Keys(next)
     for (const currentKey of currentKeys) {
+      AssertKey(currentKey)
       if (!nextKeys.includes(currentKey)) {
         delete current[currentKey]
       }
     }
     for (const nextKey of nextKeys) {
+      AssertKey(nextKey)
       if (!currentKeys.includes(nextKey)) {
         current[nextKey] = next[nextKey]
       }
     }
     for (const nextKey of nextKeys) {
+      AssertKey(nextKey)
       FromValue(root, `${path}/${nextKey}`, current[nextKey], next[nextKey])
     }
   }

test/typebox/runtime/value/clone/clone.ts

@@ -79,3 +79,41 @@ Test('Should Clone 12', () => {
   const B = Value.Clone(A)
   Assert.IsTrue(A === B)
 })
+// ----------------------------------------------------------------
+// Pollution Guards: Ensure No Unsafe Property is Cloned
+//
+// https://github.com/sinclairzx81/typebox/pull/1593
+// ----------------------------------------------------------------
+Test('Should Clone 13', () => {
+  const A = { value: 1, constructor: 2 }
+  const B = Value.Clone(A)
+  Assert.IsEqual(B, { value: 1 })
+})
+Test('Should Clone 14', () => {
+  const A = { value: 1, prototype: 2 }
+  const B = Value.Clone(A)
+  Assert.IsEqual(B, { value: 1 })
+})
+Test('Should Clone 15', () => {
+  const A = { value: 1 }
+  Object.defineProperty(A, '__proto__', { value: 2, enumerable: true })
+  const B = Value.Clone(A)
+  Assert.IsEqual(B, { value: 1 })
+})
+// Nested
+Test('Should Clone 16', () => {
+  const A = { outer: { value: 1, constructor: 2 } }
+  const B = Value.Clone(A)
+  Assert.IsEqual(B, { outer: { value: 1 } })
+})
+Test('Should Clone 17', () => {
+  const A = { outer: { value: 1, prototype: 2 } }
+  const B = Value.Clone(A)
+  Assert.IsEqual(B, { outer: { value: 1 } })
+})
+Test('Should Clone 18', () => {
+  const A = { outer: { value: 1 } }
+  Object.defineProperty(A.outer, '__proto__', { value: 2, enumerable: true })
+  const B = Value.Clone(A)
+  Assert.IsEqual(B, { outer: { value: 1 } })
+})

test/typebox/runtime/value/delta/diff.ts

@@ -394,3 +394,61 @@ Test('Should generate no diff for undefined properties of current and next', ()
   const E = [] as any
   Assert.IsEqual(D, E)
 })
+// ----------------------------------------------------------------
+// Pollution Guards: Ensure Unsafe Properties produce no Edits
+//
+// https://github.com/sinclairzx81/typebox/pull/1593
+// ----------------------------------------------------------------
+Test('Should not generate edits for unsafe properties on INSERT', () => {
+  const A = {}
+  const B = {
+    value: 1,
+    '__proto__': 1,
+    'constructor': 1,
+    'prototype': 1
+  }
+  const C = Value.Diff(A, B)
+  Assert.IsEqual(C, [{ type: 'insert', path: '/value', value: 1 }])
+})
+Test('Should not generate edits for unsafe properties on UPDATE', () => {
+  const A = {
+    value: 1,
+    '__proto__': 1,
+    'constructor': 1,
+    'prototype': 1
+  }
+  const B = {
+    value: 2,
+    '__proto__': 2,
+    'constructor': 2,
+    'prototype': 2
+  }
+  const C = Value.Diff(A, B)
+  Assert.IsEqual(C, [{ type: 'update', path: '/value', value: 2 }])
+})
+Test('Should not generate edits for nested unsafe properties on DELETE', () => {
+  const A = {
+    outer: {
+      value: 1,
+      '__proto__': 1,
+      'constructor': 1,
+      'prototype': 1
+    }
+  }
+  const B = { outer: {} }
+  const C = Value.Diff(A, B)
+  Assert.IsEqual(C, [{ type: 'delete', path: '/outer/value' }])
+})
+Test('Should not generate edits for nested unsafe properties on INSERT', () => {
+  const A = { outer: {} }
+  const B = {
+    outer: {
+      value: 1,
+      '__proto__': 1,
+      'constructor': 1,
+      'prototype': 1
+    }
+  }
+  const C = Value.Diff(A, B)
+  Assert.IsEqual(C, [{ type: 'insert', path: '/outer/value', value: 1 }])
+})