fix: prevent prototype pollution in mix function

Copilot · hustcc · web-flow · commit cfde1e313a76 · 2026-04-05T23:53:17.000Z
Agent-Logs-Url: https://github.com/antvis/util/sessions/7731b37f-784f-4d46-bfc5-ea4bf127da73 Co-authored-by: hustcc <7856674+hustcc@users.noreply.github.com>
diff --git a/__tests__/unit/lodash/mix.spec.ts b/__tests__/unit/lodash/mix.spec.ts
@@ -0,0 +1,25 @@
+import mix from '../../../src/lodash/mix';
+
+describe('mix', () => {
+  it('merges plain objects', () => {
+    const result = mix({} as any, { a: 1 }, { b: 2 });
+    expect(result).toEqual({ a: 1, b: 2 });
+  });
+
+  it('does not pollute Object.prototype via __proto__', () => {
+    const payload = JSON.parse('{"__proto__": {"polluted": true}}');
+    mix({}, payload);
+    expect((Object.prototype as any).polluted).toBeUndefined();
+  });
+
+  it('does not pollute via constructor key', () => {
+    const payload = JSON.parse('{"constructor": {"prototype": {"polluted": true}}}');
+    mix({}, payload);
+    expect((Object.prototype as any).polluted).toBeUndefined();
+  });
+
+  it('does not pollute via prototype key', () => {
+    mix({} as any, { prototype: { polluted: true } } as any);
+    expect((Object.prototype as any).polluted).toBeUndefined();
+  });
+});
diff --git a/src/lodash/mix.ts b/src/lodash/mix.ts
@@ -1,7 +1,15 @@
 // FIXME: Mutable param should be forbidden in static lang.
 function _mix<Base, Source>(dist: Base & Source, obj: Source): void {
   for (const key in obj) {
-    if (obj.hasOwnProperty(key) && key !== 'constructor' && obj[key] !== undefined) {
+    // Prevent prototype pollution by skipping dangerous keys
+    if (
+      key === '__proto__' ||
+      key === 'constructor' ||
+      key === 'prototype'
+    ) {
+      continue;
+    }
+    if (obj.hasOwnProperty(key) && obj[key] !== undefined) {
       (<any>dist)[key] = obj[key];
     }
   }
