Skip to content

fix(security): 2 improvements across 2 files#2772

Open
tomaioo wants to merge 2 commits into
emberjs:mainfrom
tomaioo:fix/security/prototype-pollution-in-baseobject-class
Open

fix(security): 2 improvements across 2 files#2772
tomaioo wants to merge 2 commits into
emberjs:mainfrom
tomaioo:fix/security/prototype-pollution-in-baseobject-class

Conversation

@tomaioo

@tomaioo tomaioo commented Jun 29, 2026

Copy link
Copy Markdown

Summary

fix(security): 2 improvements across 2 files

Problem

Severity: High | File: packages/ember-debug/utils/base-object.js:L4

The BaseObject class uses Object.assign(this, data || {}) in its constructor, which can lead to prototype pollution if an attacker provides a specially crafted object with __proto__, constructor, or prototype keys. This could allow modification of the Object prototype, leading to arbitrary code execution or other security issues. Additionally, the reopen method has the same vulnerability.

Solution

Use a safe assignment method that only copies own properties and skips prototype-related keys. Consider using Object.assign with a null prototype object or explicitly filtering out dangerous keys like __proto__, constructor, and prototype.

Changes

  • packages/ember-debug/utils/base-object.js (modified)
  • packages/ember-inspector/app/helpers/build-style.js (modified)

tomaioo added 2 commits June 29, 2026 11:11
- Security: Prototype Pollution in BaseObject class
- Security: Potential Cross-Site Scripting (XSS) via htmlSafe in build-style helper

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
- Security: Prototype Pollution in BaseObject class
- Security: Potential Cross-Site Scripting (XSS) via htmlSafe in build-style helper

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant