Protect against prototype pollution in markup parser

Author: RinZ27

src/core/core.js

@@ -36,6 +36,10 @@ const revision = '$_CURRENT_SDK_REVISION';
  */
 function extend(target, ex) {
     for (const prop in ex) {
+        if (prop === '__proto__' || prop === 'constructor' || prop === 'prototype') {
+            continue;
+        }
+
         const copy = ex[prop];
 
         if (Array.isArray(copy)) {

src/framework/components/element/markup.js

@@ -1,3 +1,5 @@
+import { extend } from '../../../core/core.js';
+
 // markup scanner
 
 // list of scanner tokens
@@ -330,25 +332,6 @@ class Parser {
     }
 }
 
-// copy the contents of source object into target object (like a deep version
-// of assign)
-function merge(target, source) {
-    for (const key in source) {
-        if (!source.hasOwnProperty(key)) {
-            continue;
-        }
-        const value = source[key];
-        if (value instanceof Object) {
-            if (!target.hasOwnProperty(key)) {
-                target[key] = { };
-            }
-            merge(target[key], source[key]);
-        } else {
-            target[key] = value;
-        }
-    }
-}
-
 function combineTags(tags) {
     if (tags.length === 0) {
         return null;
@@ -358,7 +341,7 @@ function combineTags(tags) {
         const tag = tags[index];
         const tmp = { };
         tmp[tag.name] = { value: tag.value, attributes: tag.attributes };
-        merge(result, tmp);
+        extend(result, tmp);
     }
     return result;
 }

test/framework/components/element/markup-security.test.mjs

@@ -0,0 +1,50 @@
+import { expect } from 'chai';
+import { extend } from '../../../../src/core/core.js';
+import { Markup } from '../../../../src/framework/components/element/markup.js';
+
+describe('Security: Prototype Pollution', function () {
+    describe('Markup Parser', function () {
+        it('should ignore sensitive keys like __proto__ during merging', function () {
+            const symbols = ['[', '_', '_', 'p', 'r', 'o', 't', 'o', '_', '_', ' ', 'p', 'o', 'l', 'l', 'u', 't', 'e', 'd', '=', '"', 't', 'r', 'u', 'e', '"', ']', 'h', 'e', 'l', 'l', 'o'];
+            
+            // Ensure Object.prototype is clean before test
+            expect({}.polluted).to.be.undefined;
+
+            try {
+                Markup.evaluate(symbols);
+            } catch (e) {
+                // ignore potential errors during evaluation as we only care about pollution
+            }
+
+            expect({}.polluted).to.be.undefined;
+        });
+
+        it('should ignore constructor and prototype keys', function () {
+            const symbols = ['[', 'c', 'o', 'n', 's', 't', 'r', 'u', 'c', 't', 'o', 'r', ']', 't', 'e', 's', 't'];
+            
+            const results = Markup.evaluate(symbols);
+            expect(results.tags).to.not.have.property('constructor');
+        });
+    });
+
+    describe('Core: extend utility', function () {
+        it('should protect against prototype pollution', function () {
+            const payload = JSON.parse('{"__proto__": {"vulnerable": "yes"}}');
+            const target = {};
+            
+            extend(target, payload);
+            
+            expect({}.vulnerable).to.be.undefined;
+            expect(target).to.not.have.property('__proto__');
+        });
+
+        it('should protect against constructor/prototype pollution', function () {
+            const payload = JSON.parse('{"constructor": {"prototype": {"vulnerable": "yes"}}}');
+            const target = {};
+            
+            extend(target, payload);
+            
+            expect({}.vulnerable).to.be.undefined;
+        });
+    });
+});