From 75abf38d52205f49d1499aee7329c7a16b8d061e Mon Sep 17 00:00:00 2001 From: XananasX Date: Fri, 24 Apr 2026 14:38:59 +0100 Subject: [PATCH] fix(core): sanitize object keys in deepCopy to prevent prototype pollution This patch addresses a critical Prototype Pollution vulnerability in the deepCopy utility. By blocking sensitive keys such as __proto__, constructor, and prototype during recursive cloning, we prevent attackers from polluting the global Object.prototype via malicious configuration files (e.g., angular.json). This fix directly mitigates the RCE risk reported in Google Issue Tracker #506079652. --- packages/angular_devkit/core/src/utils/object.ts | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/packages/angular_devkit/core/src/utils/object.ts b/packages/angular_devkit/core/src/utils/object.ts index cc0218023bb0..28c471035fb3 100644 --- a/packages/angular_devkit/core/src/utils/object.ts +++ b/packages/angular_devkit/core/src/utils/object.ts @@ -30,11 +30,18 @@ export function deepCopy(value: T): T { const copy = Object.create(Object.getPrototypeOf(valueCasted)); valueCasted[copySymbol] = copy; + for (const key of Object.getOwnPropertyNames(valueCasted)) { + // 🛡️ SECURITY CHECK FIRST: Block prototype pollution keys + if (key === '__proto__' || key === 'constructor' || key === 'prototype') { + continue; + } + + // Now it is safe to copy copy[key] = deepCopy(valueCasted[key]); } + delete valueCasted[copySymbol]; - return copy; } else { return value;