Skip to content

Potential fix for code scanning alert no. 23: Prototype-polluting function#29

Merged
NullSablex merged 1 commit into
masterfrom
alert-autofix-23
Jun 20, 2026
Merged

Potential fix for code scanning alert no. 23: Prototype-polluting function#29
NullSablex merged 1 commit into
masterfrom
alert-autofix-23

Conversation

@NullSablex

Copy link
Copy Markdown
Owner

Potential fix for https://github.com/NullSablex/PawnPro/security/code-scanning/23

General fix: in deep-assignment code, enforce an explicit denylist for dangerous keys (__proto__, constructor, prototype) at the assignment/traversal point, and ensure traversal only proceeds through own plain-object properties.

Best targeted fix in src/core/config.ts:

  1. In setKey, after splitting dotPath, reject empty segments and reject dangerous keys with a local guard.
  2. In traversal, use Object.prototype.hasOwnProperty.call(cursor, key) + isPlainObject before descending; otherwise create a new plain object.
  3. Before writing leaf, apply the same explicit dangerous-key block.
  4. Keep existing behavior otherwise unchanged.

No new imports/dependencies are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…ction

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@NullSablex NullSablex marked this pull request as ready for review June 20, 2026 21:55
@NullSablex NullSablex merged commit 24cb3e1 into master Jun 20, 2026
4 checks passed
@NullSablex NullSablex deleted the alert-autofix-23 branch June 20, 2026 21:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant