Improve robustness against sensitive properties in core extend and markup parser. Restored deep merge behavior in markup component and added Debug.assert for reporting.

Author: RinZ27

src/core/core.js

@@ -9,21 +9,23 @@ const version = '$_CURRENT_SDK_VERSION';
  */
 const revision = '$_CURRENT_SDK_REVISION';
 
+import { Debug } from './debug.js';
+
 /**
  * Merge the contents of two objects into a single object.
  *
  * @param {object} target - The target object of the merge.
- * @param {object} ex - The object that is merged with target.
+ * @param {object} ex - The object to be merged into the target.
  * @returns {object} The target object.
  * @example
- * const A = {
+ * var A = {
  *     a: function () {
- *         console.log(this.a);
+ *         console.log('a');
  *     }
  * };
- * const B = {
+ * var B = {
  *     b: function () {
- *         console.log(this.b);
+ *         console.log('b');
  *     }
  * };
  *
@@ -36,6 +38,16 @@ const revision = '$_CURRENT_SDK_REVISION';
  */
 function extend(target, ex) {
     for (const prop in ex) {
+        if (!Object.prototype.hasOwnProperty.call(ex, prop)) {
+            continue;
+        }
+
+        const isForbidden = prop === '__proto__' || prop === 'constructor' || prop === 'prototype';
+        Debug.assert(!isForbidden, `Ignoring forbidden property: ${prop}`);
+        if (isForbidden) {
+            continue;
+        }
+
         const copy = ex[prop];
 
         if (Array.isArray(copy)) {
@@ -50,4 +62,5 @@ function extend(target, ex) {
     return target;
 }
 
+
 export { extend, revision, version };

src/framework/components/element/markup.js

@@ -1,3 +1,5 @@
+import { Debug } from '../../../core/debug.js';
+
 // markup scanner
 
 // list of scanner tokens
@@ -334,9 +336,16 @@ class Parser {
 // of assign)
 function merge(target, source) {
     for (const key in source) {
-        if (!source.hasOwnProperty(key)) {
+        if (!Object.prototype.hasOwnProperty.call(source, key)) {
             continue;
         }
+
+        const isForbidden = key === '__proto__' || key === 'constructor' || key === 'prototype';
+        Debug.assert(!isForbidden, `Ignoring forbidden property: ${key}`);
+        if (isForbidden) {
+            continue;
+        }
+
         const value = source[key];
         if (value instanceof Object) {
             if (!target.hasOwnProperty(key)) {

test/framework/components/element/markup-security.test.mjs

@@ -0,0 +1,70 @@
+import { expect } from 'chai';
+import { extend } from '../../../../src/core/core.js';
+import { Markup } from '../../../../src/framework/components/element/markup.js';
+
+describe('Security: Prototype Pollution', function () {
+    describe('Markup Parser', function () {
+        it('should ignore sensitive keys like __proto__ during merging', function () {
+            // [__proto__ polluted="true"]hello[/__proto__]
+            const symbols = [
+                '[', '_', '_', 'p', 'r', 'o', 't', 'o', '_', '_', ' ', 'p', 'o', 'l', 'l', 'u', 't', 'e', 'd', '=', '"', 't', 'r', 'u', 'e', '"', ']', 
+                'h', 'e', 'l', 'l', 'o', 
+                '[', '/', '_', '_', 'p', 'r', 'o', 't', 'o', '_', '_', ']'
+            ];
+            
+            // Ensure Object.prototype is clean before test
+            expect({}.polluted).to.be.undefined;
+
+            const results = Markup.evaluate(symbols);
+            
+            expect(results.tags).to.not.equal(null);
+            results.tags.forEach((tag) => {
+                if (tag) {
+                    expect(Object.prototype.hasOwnProperty.call(tag, '__proto__')).to.be.false;
+                }
+            });
+
+            expect({}.polluted).to.be.undefined;
+        });
+
+        it('should ignore constructor and prototype keys', function () {
+            // [constructor]test[/constructor]
+            const symbols = [
+                '[', 'c', 'o', 'n', 's', 't', 'r', 'u', 'c', 't', 'o', 'r', ']', 
+                't', 'e', 's', 't', 
+                '[', '/', 'c', 'o', 'n', 's', 't', 'r', 'u', 'c', 't', 'o', 'r', ']'
+            ];
+            
+            const results = Markup.evaluate(symbols);
+            expect(results.tags).to.not.equal(null);
+            results.tags.forEach((tag) => {
+                if (tag) {
+                    expect(Object.prototype.hasOwnProperty.call(tag, 'constructor')).to.be.false;
+                }
+            });
+        });
+    });
+
+    describe('Core: extend utility', function () {
+        it('should protect against prototype pollution', function () {
+            const payload = JSON.parse('{"__proto__": {"vulnerable": "yes"}}');
+            const target = {};
+            
+            const originalPrototype = Object.getPrototypeOf(target);
+            extend(target, payload);
+            
+            expect({}.vulnerable).to.be.undefined;
+            expect(target.vulnerable).to.be.undefined;
+            expect(Object.getPrototypeOf(target)).to.equal(originalPrototype);
+        });
+
+        it('should protect against constructor/prototype pollution', function () {
+            const payload = JSON.parse('{"constructor": {"prototype": {"vulnerable": "yes"}}}');
+            const target = {};
+            
+            extend(target, payload);
+            
+            expect({}.vulnerable).to.be.undefined;
+        });
+    });
+});