feat: add is dangerous key to encode/decode

Moumouls · Moumouls · commit cba326df8273 · 2025-10-14T20:44:14.000+02:00
diff --git a/src/ObjectStateMutations.ts b/src/ObjectStateMutations.ts
@@ -6,6 +6,7 @@ import TaskQueue from './TaskQueue';
 import { RelationOp } from './ParseOp';
 import type { Op } from './ParseOp';
 import type ParseObject from './ParseObject';
+import { isDangerousKey } from "./isDangerousKey";
 
 export type AttributeMap = Record<string, any>;
 export type OpsMap = Record<string, Op>;
@@ -19,24 +20,6 @@ export interface State {
   existed: boolean;
 }
 
-/**
- * Check if a property name or path is potentially dangerous for prototype pollution
- * @param key
- */
-function isDangerousKey(key: string): boolean {
-  const dangerousKeys = ["__proto__", "constructor", "prototype"];
-  // Check if the key itself is dangerous
-  if (dangerousKeys.includes(key)) {
-    return true;
-  }
-  // Check if any part of a dotted path is dangerous
-  if (key.includes(".")) {
-    const parts = key.split(".");
-    return parts.some((part) => dangerousKeys.includes(part));
-  }
-  return false;
-}
-
 export function defaultState(): State {
   return {
     serverData: Object.create(null),
diff --git a/src/__tests__/ObjectStateMutations-test.js b/src/__tests__/ObjectStateMutations-test.js
@@ -1,6 +1,7 @@
 jest.dontMock('../decode');
 jest.dontMock('../encode');
 jest.dontMock('../CoreManager');
+jest.dontMock('../isDangerousKey');
 jest.dontMock('../ObjectStateMutations');
 jest.dontMock('../ParseFile');
 jest.dontMock('../ParseGeoPoint');
@@ -11,7 +12,7 @@ jest.dontMock('../TaskQueue');
 const mockObject = function (className) {
   this.className = className;
 };
-mockObject.registerSubclass = function () {};
+mockObject.registerSubclass = function () { };
 jest.setMock('../ParseObject', mockObject);
 const CoreManager = require('../CoreManager').default;
 CoreManager.setParseObject(mockObject);
diff --git a/src/__tests__/decode-test.js b/src/__tests__/decode-test.js
@@ -1,5 +1,6 @@
 jest.dontMock('../decode');
 jest.dontMock('../CoreManager');
+jest.dontMock('../isDangerousKey');
 jest.dontMock('../ParseFile');
 jest.dontMock('../ParseGeoPoint');
 jest.dontMock('../ParseObject');
diff --git a/src/__tests__/encode-test.js b/src/__tests__/encode-test.js
@@ -1,4 +1,5 @@
 jest.dontMock('../encode');
+jest.dontMock('../isDangerousKey');
 jest.dontMock('../ParseACL');
 jest.dontMock('../ParseFile');
 jest.dontMock('../ParseGeoPoint');
diff --git a/src/decode.ts b/src/decode.ts
@@ -3,6 +3,7 @@ import ParseFile from './ParseFile';
 import ParseGeoPoint from './ParseGeoPoint';
 import ParsePolygon from './ParsePolygon';
 import ParseRelation from './ParseRelation';
+import { isDangerousKey } from "./isDangerousKey";
 
 export default function decode(value: any): any {
   if (value === null || typeof value !== 'object' || value instanceof Date) {
@@ -50,6 +51,10 @@ export default function decode(value: any): any {
   const copy = {};
   for (const k in value) {
     if (Object.prototype.hasOwnProperty.call(value, k)) {
+      // Skip dangerous keys that could pollute prototypes
+      if (isDangerousKey(k)) {
+        continue;
+      }
       copy[k] = decode(value[k]);
     }
   }
diff --git a/src/encode.ts b/src/encode.ts
@@ -4,6 +4,7 @@ import ParseFile from './ParseFile';
 import ParseGeoPoint from './ParseGeoPoint';
 import ParsePolygon from './ParsePolygon';
 import ParseRelation from './ParseRelation';
+import { isDangerousKey } from "./isDangerousKey";
 
 function encode(
   value: any,
@@ -73,7 +74,17 @@ function encode(
     for (const k in value) {
       // Only iterate over own properties
       if (Object.prototype.hasOwnProperty.call(value, k)) {
-        output[k] = encode(value[k], disallowObjects, forcePointers, seen, offline);
+        // Skip dangerous keys that could pollute prototypes
+        if (isDangerousKey(k)) {
+          continue;
+        }
+        output[k] = encode(
+          value[k],
+          disallowObjects,
+          forcePointers,
+          seen,
+          offline
+        );
       }
     }
     return output;
diff --git a/src/isDangerousKey.ts b/src/isDangerousKey.ts
@@ -0,0 +1,19 @@
+/**
+ * Check if a property name or path is potentially dangerous for prototype pollution
+ * Dangerous keys include: __proto__, constructor, prototype
+ * @param key - The property name or dotted path to check
+ * @returns true if the key is dangerous, false otherwise
+ */
+export function isDangerousKey(key: string): boolean {
+  const dangerousKeys = ["__proto__", "constructor", "prototype"];
+  // Check if the key itself is dangerous
+  if (dangerousKeys.includes(key)) {
+    return true;
+  }
+  // Check if any part of a dotted path is dangerous
+  if (key.includes(".")) {
+    const parts = key.split(".");
+    return parts.some((part) => dangerousKeys.includes(part));
+  }
+  return false;
+}

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`jest.dontMock('../encode');`
	`2`	`+jest.dontMock('../isDangerousKey');`
`2`	`3`	`jest.dontMock('../ParseACL');`
`3`	`4`	`jest.dontMock('../ParseFile');`
`4`	`5`	`jest.dontMock('../ParseGeoPoint');`