Potential fix for code scanning alert no. 55: Prototype-polluting assignment

ardatan · github-advanced-security[bot] · ardatan · commit 49734e68f938 · 2025-01-23T17:17:32.000+03:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/packages/wrap/src/transforms/WrapQuery.ts b/packages/wrap/src/transforms/WrapQuery.ts
@@ -87,11 +87,18 @@ export default class WrapQuery<TContext = Record<string, any>>
       const path = [...this.path];
       while (path.length > 1) {
         const next = path.shift()!;
+        if (next === '__proto__' || next === 'constructor' || next === 'prototype') {
+          throw new Error('Invalid path key');
+        }
         if (data[next]) {
           data = data[next];
         }
       }
-      data[path[0]!] = this.extractor(data[path[0]!]);
+      const lastKey = path[0]!;
+      if (lastKey === '__proto__' || lastKey === 'constructor' || lastKey === 'prototype') {
+        throw new Error('Invalid path key');
+      }
+      data[lastKey] = this.extractor(data[lastKey]);
     }
 
     return {

Original file line number	Diff line number	Diff line change
`@@ -87,11 +87,18 @@ export default class WrapQuery<TContext = Record<string, any>>`
`87`	`87`	`const path = [...this.path];`
`88`	`88`	`while (path.length > 1) {`
`89`	`89`	`const next = path.shift()!;`
	`90`	`+ if (next === '__proto__' \|\| next === 'constructor' \|\| next === 'prototype') {`
	`91`	`+ throw new Error('Invalid path key');`
	`92`	`+ }`
`90`	`93`	`if (data[next]) {`
`91`	`94`	`data = data[next];`
`92`	`95`	`}`
`93`	`96`	`}`
`94`		`- data[path[0]!] = this.extractor(data[path[0]!]);`
	`97`	`+ const lastKey = path[0]!;`
	`98`	`+ if (lastKey === '__proto__' \|\| lastKey === 'constructor' \|\| lastKey === 'prototype') {`
	`99`	`+ throw new Error('Invalid path key');`
	`100`	`+ }`
	`101`	`+ data[lastKey] = this.extractor(data[lastKey]);`
`95`	`102`	`}`
`96`	`103`
`97`	`104`	`return {`