Prototype Pollution Guards on Value

sinclairzx81 · sinclairzx81 · commit 94ca89f02a72 · 2026-05-01T21:36:59.000+09:00
diff --git a/src/value/mutate/from_object.ts b/src/value/mutate/from_object.ts
@@ -35,23 +35,35 @@ import { Clone } from '../clone/index.ts'
 import { type TMutable } from './mutate.ts'
 import { FromValue } from './from_value.ts'
 
+// ------------------------------------------------------------------
+// AssertKey
+// ------------------------------------------------------------------
+function AssertKey(key: string): void {
+  if(Guard.IsUnsafePropertyKey(key)) throw Error('Attempted to Mutate with unsafe property key')
+}
+// ------------------------------------------------------------------
+// AssertKey
+// ------------------------------------------------------------------
 export function FromObject(root: TMutable, path: string, current: unknown, next: Record<string, unknown>): void {
   if (!Guard.IsObjectNotArray(current)) {
     Pointer.Set(root, path, Clone(next))
   } else {
     const currentKeys = Guard.Keys(current)
     const nextKeys = Guard.Keys(next)
     for (const currentKey of currentKeys) {
+      AssertKey(currentKey)
       if (!nextKeys.includes(currentKey)) {
         delete current[currentKey]
       }
     }
     for (const nextKey of nextKeys) {
+      AssertKey(nextKey)
       if (!currentKeys.includes(nextKey)) {
         current[nextKey] = next[nextKey]
       }
     }
     for (const nextKey of nextKeys) {
+      AssertKey(nextKey)
       FromValue(root, `${path}/${nextKey}`, current[nextKey], next[nextKey])
     }
   }
diff --git a/test/typebox/runtime/value/mutate/mutate.ts b/test/typebox/runtime/value/mutate/mutate.ts
@@ -1,5 +1,6 @@
 import { Value } from 'typebox/value'
 import { Assert } from 'test'
+import type { prototype } from 'node:events'
 
 const Test = Assert.Context('Value.Mutate')
 
@@ -127,3 +128,26 @@ Test('Should Mutate 19', () => {
   Value.Mutate(A, { x: 4, y: 5, z: 4, w: 5 })
   Assert.IsEqual(A, { x: 4, y: 5, z: 4, w: 5 })
 })
+// ----------------------------------------------------------------
+// Pollution Guards: Should ignore and throw on unsafe key.
+//
+// https://github.com/sinclairzx81/typebox/pull/1593
+// ----------------------------------------------------------------
+Test('Should Clone 20', () => {
+  const A = { x: 1 } // basis
+  Value.Mutate(A, { x: 1, y: 1 })
+  Assert.IsEqual(A, { x: 1, y: 1 })
+})
+Test('Should Clone 21', () => {
+  const A = { x: 1, y: 1 }
+  Value.Mutate(A, { x: 1, y: 1, __proto__: 1 })
+  Assert.IsEqual(A, { x: 1, y: 1 })
+})
+Test('Should Clone 22', () => {
+  const A = { x: 1 }
+  Assert.Throws(() => Value.Mutate(A, { x: 1, constructor: 1 }))
+})
+Test('Should Clone 23', () => {
+  const A = { x: 1 }
+  Assert.Throws(() => Value.Mutate(A, { x: 1, prototype: 1 }))
+})
