Skip to content

fix: prevent prototype pollution in extend() and objExtend() via __proto__ key filtering #2735

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hectorhdzg merged 1 commit into from
May 20, 2026
Merged

fix: prevent prototype pollution in extend() and objExtend() via __proto__ key filtering #2735

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion AISKU/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@
"@microsoft/applicationinsights-core-js": "3.4.1",
"@microsoft/applicationinsights-dependencies-js": "3.4.1",
"@microsoft/applicationinsights-properties-js": "3.4.1",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x",
"@nevware21/ts-utils": ">= 0.14.0 < 2.x",
"@nevware21/ts-async": ">= 0.5.5 < 2.x"
},
"license": "MIT"
Expand Down
2 changes: 1 addition & 1 deletion AISKULight/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@
"@microsoft/applicationinsights-shims": "3.0.1",
"@microsoft/applicationinsights-channel-js": "3.4.1",
"@microsoft/applicationinsights-core-js": "3.4.1",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x",
"@nevware21/ts-utils": ">= 0.14.0 < 2.x",
"@nevware21/ts-async": ">= 0.5.5 < 2.x"
},
"license": "MIT"
Expand Down
2 changes: 1 addition & 1 deletion channels/1ds-post-js/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
"@microsoft/applicationinsights-shims": "3.0.1",
"@microsoft/dynamicproto-js": "^2.0.3",
"@microsoft/applicationinsights-core-js": "3.4.1",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x",
"@nevware21/ts-utils": ">= 0.14.0 < 2.x",
"@nevware21/ts-async": ">= 0.5.5 < 2.x"
},
"devDependencies": {
Expand Down
2 changes: 1 addition & 1 deletion channels/applicationinsights-channel-js/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@
"@microsoft/dynamicproto-js": "^2.0.3",
"@microsoft/applicationinsights-shims": "3.0.1",
"@microsoft/applicationinsights-core-js": "3.4.1",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x",
"@nevware21/ts-utils": ">= 0.14.0 < 2.x",
"@nevware21/ts-async": ">= 0.5.5 < 2.x"
},
"license": "MIT"
Expand Down
2 changes: 1 addition & 1 deletion channels/offline-channel-js/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
"@microsoft/dynamicproto-js": "^2.0.3",
"@microsoft/applicationinsights-shims": "3.0.1",
"@microsoft/applicationinsights-core-js": "3.4.1",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x",
"@nevware21/ts-utils": ">= 0.14.0 < 2.x",
"@nevware21/ts-async": ">= 0.5.5 < 2.x"
},
"peerDependencies": {
Expand Down
2 changes: 1 addition & 1 deletion channels/tee-channel-js/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@
"@microsoft/dynamicproto-js": "^2.0.3",
"@microsoft/applicationinsights-shims": "3.0.1",
"@microsoft/applicationinsights-core-js": "3.4.1",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x",
"@nevware21/ts-utils": ">= 0.14.0 < 2.x",
"@nevware21/ts-async": ">= 0.5.5 < 2.x"
},
"license": "MIT"
Expand Down
2 changes: 1 addition & 1 deletion common/Tests/Framework/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@
},
"dependencies": {
"@microsoft/dynamicproto-js": "^2.0.3",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x",
"@nevware21/ts-utils": ">= 0.14.0 < 2.x",
"@nevware21/ts-async": ">= 0.5.5 < 2.x"
}
}
664 changes: 276 additions & 388 deletions common/config/rush/npm-shrinkwrap.json
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion examples/AISKU/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,6 @@
"@microsoft/dynamicproto-js": "^2.0.3",
"@microsoft/applicationinsights-web": "3.4.1",
"@microsoft/applicationinsights-core-js": "3.4.1",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x"
"@nevware21/ts-utils": ">= 0.14.0 < 2.x"
}
}
2 changes: 1 addition & 1 deletion examples/cfgSync/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,6 @@
"@microsoft/dynamicproto-js": "^2.0.3",
"@microsoft/applicationinsights-web": "3.4.1",
"@microsoft/applicationinsights-core-js": "3.4.1",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x"
"@nevware21/ts-utils": ">= 0.14.0 < 2.x"
}
}
2 changes: 1 addition & 1 deletion examples/dependency/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,6 @@
"@microsoft/applicationinsights-web": "3.4.1",
"@microsoft/applicationinsights-dependencies-js": "3.4.1",
"@microsoft/applicationinsights-core-js": "3.4.1",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x"
"@nevware21/ts-utils": ">= 0.14.0 < 2.x"
}
}
2 changes: 1 addition & 1 deletion examples/shared-worker/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,6 @@
"@microsoft/dynamicproto-js": "^2.0.3",
"@microsoft/applicationinsights-web": "3.4.1",
"@microsoft/applicationinsights-core-js": "3.4.1",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x"
"@nevware21/ts-utils": ">= 0.14.0 < 2.x"
}
}
2 changes: 1 addition & 1 deletion examples/startSpan/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,6 @@
"@microsoft/dynamicproto-js": "^2.0.3",
"@microsoft/applicationinsights-web": "3.4.1",
"@microsoft/applicationinsights-core-js": "3.4.1",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x"
"@nevware21/ts-utils": ">= 0.14.0 < 2.x"
}
}
2 changes: 1 addition & 1 deletion extensions/applicationinsights-analytics-js/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@
"@microsoft/dynamicproto-js": "^2.0.3",
"@microsoft/applicationinsights-shims": "3.0.1",
"@microsoft/applicationinsights-core-js": "3.4.1",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x"
"@nevware21/ts-utils": ">= 0.14.0 < 2.x"
},
"license": "MIT"
}
2 changes: 1 addition & 1 deletion extensions/applicationinsights-cfgsync-js/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@
"@microsoft/dynamicproto-js": "^2.0.3",
"@microsoft/applicationinsights-shims": "3.0.1",
"@microsoft/applicationinsights-core-js": "3.4.1",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x",
"@nevware21/ts-utils": ">= 0.14.0 < 2.x",
"@nevware21/ts-async": ">= 0.5.5 < 2.x"
},
"license": "MIT"
Expand Down
2 changes: 1 addition & 1 deletion extensions/applicationinsights-clickanalytics-js/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@
"@microsoft/applicationinsights-shims": "3.0.1",
"@microsoft/applicationinsights-core-js": "3.4.1",
"@microsoft/applicationinsights-properties-js": "3.4.1",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x"
"@nevware21/ts-utils": ">= 0.14.0 < 2.x"
},
"repository": {
"type": "git",
Expand Down
2 changes: 1 addition & 1 deletion extensions/applicationinsights-debugplugin-js/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@
"@microsoft/dynamicproto-js": "^2.0.3",
"@microsoft/applicationinsights-core-js": "3.4.1",
"@microsoft/applicationinsights-shims": "3.0.1",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x"
"@nevware21/ts-utils": ">= 0.14.0 < 2.x"
},
"license": "MIT"
}
2 changes: 1 addition & 1 deletion extensions/applicationinsights-dependencies-js/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@
"@microsoft/dynamicproto-js": "^2.0.3",
"@microsoft/applicationinsights-shims": "3.0.1",
"@microsoft/applicationinsights-core-js": "3.4.1",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x",
"@nevware21/ts-utils": ">= 0.14.0 < 2.x",
"@nevware21/ts-async": ">= 0.5.5 < 2.x"
},
"license": "MIT"
Expand Down
2 changes: 1 addition & 1 deletion extensions/applicationinsights-osplugin-js/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
"@microsoft/applicationinsights-shims": "3.0.1",
"@microsoft/dynamicproto-js": "^2.0.3",
"@microsoft/applicationinsights-core-js": "3.4.1",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x",
"@nevware21/ts-utils": ">= 0.14.0 < 2.x",
"@nevware21/ts-async": ">= 0.5.5 < 2.x"
},
"devDependencies": {
Expand Down
2 changes: 1 addition & 1 deletion extensions/applicationinsights-perfmarkmeasure-js/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@
"@microsoft/dynamicproto-js": "^2.0.3",
"@microsoft/applicationinsights-shims": "3.0.1",
"@microsoft/applicationinsights-core-js": "3.4.1",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x"
"@nevware21/ts-utils": ">= 0.14.0 < 2.x"
},
"license": "MIT"
}
2 changes: 1 addition & 1 deletion extensions/applicationinsights-properties-js/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@
"@microsoft/dynamicproto-js": "^2.0.3",
"@microsoft/applicationinsights-shims": "3.0.1",
"@microsoft/applicationinsights-core-js": "3.4.1",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x"
"@nevware21/ts-utils": ">= 0.14.0 < 2.x"
},
"license": "MIT"
}
5 changes: 2 additions & 3 deletions extensions/applicationinsights-properties-js/src/PropertiesPlugin.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,8 @@ import dynamicProto from "@microsoft/dynamicproto-js";
import {
BaseTelemetryPlugin, BreezeChannelIdentifier, IAppInsightsCore, IConfig, IConfigDefaults, IConfiguration, IPlugin,
IProcessTelemetryContext, IProcessTelemetryUnloadContext, IPropertiesPlugin, ITelemetryItem, ITelemetryPluginChain,
ITelemetryUnloadState, PageViewEnvelopeType, PropertiesPluginIdentifier, _InternalLogMessage, _eInternalMessageId,
_logInternalMessage, createProcessTelemetryContext, eLoggingSeverity, getNavigator, getSetValue, isNullOrUndefined, onConfigChange,
utlSetStoragePrefix
ITelemetryUnloadState, PageViewEnvelopeType, PropertiesPluginIdentifier, _InternalLogMessage, _eInternalMessageId, _logInternalMessage,
createProcessTelemetryContext, eLoggingSeverity, getNavigator, getSetValue, isNullOrUndefined, onConfigChange, utlSetStoragePrefix
} from "@microsoft/applicationinsights-core-js";
import { isString, objDeepFreeze, objDefine } from "@nevware21/ts-utils";
import { IPropTelemetryContext } from "./Interfaces/IPropTelemetryContext";
Expand Down
2 changes: 1 addition & 1 deletion shared/1ds-core-js/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@
"@microsoft/applicationinsights-shims": "3.0.1",
"@microsoft/applicationinsights-core-js": "3.4.1",
"@microsoft/dynamicproto-js": "^2.0.3",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x",
"@nevware21/ts-utils": ">= 0.14.0 < 2.x",
"@nevware21/ts-async": ">= 0.5.5 < 2.x"
},
"devDependencies": {
Expand Down
2 changes: 1 addition & 1 deletion shared/AppInsightsCommon/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@
"@microsoft/applicationinsights-shims": "3.0.1",
"@microsoft/applicationinsights-core-js": "3.4.1",
"@microsoft/dynamicproto-js": "^2.0.3",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x"
"@nevware21/ts-utils": ">= 0.14.0 < 2.x"
},
"license": "MIT"
}
71 changes: 71 additions & 0 deletions shared/AppInsightsCore/Tests/Unit/src/ai/HelperFunc.Tests.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -539,5 +539,76 @@ export class HelperFuncTests extends AITestClass {
Assert.equal(rlt, undefined, "feature is not enable case 6");
}
});

this.testCase({
name: 'objExtend should not allow __proto__ pollution in shallow merge',
test: () => {
try {
let malicious = JSON.parse('{"__proto__": {"polluted": "yes"}}');
let result = objExtend({}, malicious);
Assert.equal(({} as any)["polluted"], undefined, "Object.prototype should not be polluted");
Assert.equal(result["polluted"], undefined, "Result should not inherit polluted property");
} finally {
delete (Object.prototype as any)["polluted"];
}
}
});

this.testCase({
name: 'objExtend should not allow __proto__ pollution in deep merge',
test: () => {
try {
let malicious = JSON.parse('{"__proto__": {"polluted": "yes"}}');
let result = objExtend(true, {}, malicious);
Assert.equal(({} as any)["polluted"], undefined, "Object.prototype should not be polluted via deep merge");
Assert.equal(result["polluted"], undefined, "Result should not inherit polluted property via deep merge");
} finally {
delete (Object.prototype as any)["polluted"];
}
}
});

this.testCase({
name: 'objExtend should not allow nested __proto__ pollution in deep merge',
test: () => {
try {
let malicious = JSON.parse('{"nested": {"__proto__": {"polluted": "yes"}}}');
let result = objExtend(true, {}, malicious);
Assert.equal(({} as any)["polluted"], undefined, "Object.prototype should not be polluted via nested deep merge");
Assert.ok(result["nested"] !== undefined, "Nested object should still exist");
} finally {
delete (Object.prototype as any)["polluted"];
}
}
});

this.testCase({
name: 'objExtend should not allow constructor or prototype key pollution',
test: () => {
try {
let malicious = JSON.parse('{"constructor": {"prototype": {"polluted": "yes"}}, "prototype": {"polluted": "yes"}}');
let result = objExtend(true, {}, malicious);
Assert.equal(({} as any)["polluted"], undefined, "Object.prototype should not be polluted via constructor/prototype keys");
Assert.ok(!result.hasOwnProperty("constructor"), "constructor key should be skipped");
Assert.ok(!result.hasOwnProperty("prototype"), "prototype key should be skipped");
} finally {
delete (Object.prototype as any)["polluted"];
}
}
});

this.testCase({
name: 'objExtend should still merge safe properties when __proto__ is present',
test: () => {
try {
let malicious = JSON.parse('{"__proto__": {"polluted": "yes"}, "safe": "value"}');
let result = objExtend(true, {}, malicious);
Assert.equal(result["safe"], "value", "Safe properties should still be merged");
Assert.equal(({} as any)["polluted"], undefined, "Object.prototype should not be polluted");
} finally {
delete (Object.prototype as any)["polluted"];
}
}
});
}
}
57 changes: 57 additions & 0 deletions shared/AppInsightsCore/Tests/Unit/src/ext/UtilsTest.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -224,5 +224,62 @@ export class UtilsTest extends AITestClass {
}
}
});

this.testCase({
name: 'extend should not allow __proto__ pollution in shallow merge',
test: () => {
try {
let malicious = JSON.parse('{"__proto__": {"polluted": "yes"}}');
let result = Utils.extend({}, malicious);
QUnit.assert.equal(({} as any)["polluted"], undefined, "Object.prototype should not be polluted");
QUnit.assert.equal(result["polluted"], undefined, "Result should not inherit polluted property");
} finally {
delete (Object.prototype as any)["polluted"];
}
}
});

this.testCase({
name: 'extend should not allow __proto__ pollution in deep merge',
test: () => {
try {
let malicious = JSON.parse('{"__proto__": {"polluted": "yes"}}');
let result = Utils.extend(true, {}, malicious);
QUnit.assert.equal(({} as any)["polluted"], undefined, "Object.prototype should not be polluted via deep merge");
QUnit.assert.equal(result["polluted"], undefined, "Result should not inherit polluted property via deep merge");
} finally {
delete (Object.prototype as any)["polluted"];
}
}
});

this.testCase({
name: 'extend should not allow constructor or prototype key pollution',
test: () => {
try {
let malicious = JSON.parse('{"constructor": {"prototype": {"polluted": "yes"}}, "prototype": {"polluted": "yes"}}');
let result = Utils.extend(true, {}, malicious);
QUnit.assert.equal(({} as any)["polluted"], undefined, "Object.prototype should not be polluted via constructor/prototype keys");
QUnit.assert.ok(!result.hasOwnProperty("constructor"), "constructor key should be skipped");
QUnit.assert.ok(!result.hasOwnProperty("prototype"), "prototype key should be skipped");
} finally {
delete (Object.prototype as any)["polluted"];
}
}
});

this.testCase({
name: 'extend should still merge safe properties correctly',
test: () => {
try {
let malicious = JSON.parse('{"__proto__": {"polluted": "yes"}, "safe": "value"}');
let result = Utils.extend(true, {}, malicious);
QUnit.assert.equal(result["safe"], "value", "Safe properties should still be merged");
QUnit.assert.equal(({} as any)["polluted"], undefined, "Object.prototype should not be polluted");
} finally {
delete (Object.prototype as any)["polluted"];
}
}
});
}
}
2 changes: 1 addition & 1 deletion shared/AppInsightsCore/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@
"dependencies": {
"@microsoft/applicationinsights-shims": "3.0.1",
"@microsoft/dynamicproto-js": "^2.0.3",
"@nevware21/ts-utils": ">= 0.12.6 < 2.x",
"@nevware21/ts-utils": ">= 0.14.0 < 2.x",
"@nevware21/ts-async": ">= 0.5.5 < 2.x"
}
}
9 changes: 7 additions & 2 deletions shared/AppInsightsCore/src/ext/extUtils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
*/
import {
arrForEach, getInst as getGlobalInst, getNavigator, hasDocument, hasWindow, isArray, isBoolean, isNullOrUndefined, isNumber, isObject,
isString, isUndefined, objForEachKey, perfNow, strIndexOf, strLeft
isString, isUndefined, isUnsafePropKey, objForEachKey, perfNow, strIndexOf, strLeft
} from "@nevware21/ts-utils";
import { STR_EMPTY } from "../constants/InternalConstants";
import { EventLatency, EventLatencyValue, FieldValueSanitizerType, GuidStyle, eEventPropertyType, eValueKind } from "../enums/ext/Enums";
Expand All @@ -19,7 +19,7 @@ import { isReactNative } from "../utils/EnvUtils";
/**
* Identifies the version for the extended SDK
*/
export const ExtVersion = "#extVersion#";
export const ExtVersion = "4.4.1";

/**
* Identifies the full version for the extended SDK
Expand Down Expand Up @@ -283,6 +283,11 @@ export function extend(obj?: any, obj2?: any, obj3?: any, obj4?: any, obj5?: any
for (; i < length; i++) {
var obj = theArgs[i];
objForEachKey(obj, (prop, value) => {
// Prevent prototype pollution by skipping unsafe keys
if (isUnsafePropKey(prop)) {
return;
}
Comment thread
hectorhdzg marked this conversation as resolved.

// If deep merge and property is an object, merge properties
if (deep && value && isObject(value)) {
if (isArray(value)) {
Expand Down
2 changes: 1 addition & 1 deletion shared/AppInsightsCore/src/utils/DataCacheHelper.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import { STR_EMPTY } from "../constants/InternalConstants";
import { normalizeJsName } from "./HelperFuncs";
import { newId } from "./RandomHelper";

const version = "#version#";
const version = "3.4.1";
let instanceName = "." + newId(6);
let _dataUid = 0;

Expand Down
Loading
Loading