Skip to content

fix: preserve __proto__ as an object key#17

Closed
rupayon123 wants to merge 2 commits into
promplate:mainfrom
rupayon123:fix/proto-key-define-property
Closed

fix: preserve __proto__ as an object key#17
rupayon123 wants to merge 2 commits into
promplate:mainfrom
rupayon123:fix/proto-key-define-property

Conversation

@rupayon123

Copy link
Copy Markdown

Fixes #8

This keeps __proto__ as a normal parsed object key by defining parsed members as own data properties instead of assigning through bracket syntax. I also added a regression check for the edge case.

Checks:

  • git diff --check

I could not run the JS build/tests locally because tsc and vitest are not installed in this checkout.

@bolt-new-by-stackblitz

Copy link
Copy Markdown

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@vercel

vercel Bot commented Jun 13, 2026

Copy link
Copy Markdown

@rupayon123 is attempting to deploy a commit to the promplate Team on Vercel.

A member of the Team first needs to authorize it.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request addresses prototype pollution vulnerabilities during JSON parsing by replacing direct property assignment with Object.defineProperty. A test case has been added to verify that __proto__ properties are parsed safely without polluting the global prototype. The reviewer recommends optimizing this change by only using Object.defineProperty when the key is specifically "__proto__" to avoid unnecessary performance overhead on standard keys.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread src/index.ts Outdated
Comment on lines +109 to +114
Object.defineProperty(obj, key, {
value,
writable: true,
enumerable: true,
configurable: true,
});

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Using Object.defineProperty for every single key in every parsed object introduces a significant performance penalty compared to direct property assignment (obj[key] = value). Since __proto__ is the only key that triggers prototype-related setter behavior on standard objects, we can optimize this by using Object.defineProperty only when key === '__proto__', and using direct assignment for all other keys.

                    if (key === "__proto__") {
                        Object.defineProperty(obj, key, {
                            value,
                            writable: true,
                            enumerable: true,
                            configurable: true,
                        });
                    } else {
                        obj[key] = value;
                    }

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 1 issue, and left some high level feedback:

  • Using Object.defineProperty for every object key may add avoidable overhead; consider falling back to simple assignment for most keys and only using defineProperty for the "__proto__" case (or other known edge keys) to keep the common path fast.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- Using `Object.defineProperty` for every object key may add avoidable overhead; consider falling back to simple assignment for most keys and only using `defineProperty` for the `"__proto__"` case (or other known edge keys) to keep the common path fast.

## Individual Comments

### Comment 1
<location path="tests/examples.test.js" line_range="25-30" />
<code_context>
     expect(parse('{"": "', OBJ)).toEqual({});
     expect(parse('{"": "', OBJ | STR)).toEqual({ "": "" });

+    const protoValue = { polluted: true };
+    const parsed = parse('{"__proto__":{"polluted":true},"safe":1}');
+    expect(Object.prototype.hasOwnProperty.call(parsed, "__proto__")).toBe(true);
+    expect(parsed.__proto__).toEqual(protoValue);
+    expect(parsed.safe).toBe(1);
+    expect(Object.prototype.polluted).toBeUndefined();
+
     expect(() => parse("{", STR)).toThrow(PartialJSON);
</code_context>
<issue_to_address>
**suggestion (testing):** Add more regression cases around `__proto__` to cover nested and non-object values and different parse flags.

Right now this only exercises a top-level `__proto__` object value with default flags. Please expand coverage with:

- A case where `__proto__` has a primitive value (e.g. `{"__proto__":1,"safe":1}`) to confirm it’s treated as a normal key and doesn’t affect the prototype.
- Nested `__proto__` keys (inside child objects and array elements) to ensure behavior is consistent beyond the top level.
- A variant using the same parse flags under which the original bug reproduced, to verify the fix in that configuration.

This will better guard against any remaining prototype-pollution paths.

```suggestion
    const protoValue = { polluted: true };

    // Top-level __proto__ with object value (default flags)
    const parsed = parse('{"__proto__":{"polluted":true},"safe":1}');
    expect(Object.prototype.hasOwnProperty.call(parsed, "__proto__")).toBe(true);
    expect(parsed.__proto__).toEqual(protoValue);
    expect(parsed.safe).toBe(1);
    expect(Object.prototype.polluted).toBeUndefined();

    // Top-level __proto__ with primitive value (default flags)
    const parsedPrimitive = parse('{"__proto__":1,"safe":1}');
    expect(Object.prototype.hasOwnProperty.call(parsedPrimitive, "__proto__")).toBe(true);
    expect(parsedPrimitive.__proto__).toBe(1);
    expect(parsedPrimitive.safe).toBe(1);
    expect(Object.prototype.polluted).toBeUndefined();

    // Nested __proto__ inside child object (default flags)
    const nestedObject = parse('{"level1":{"__proto__":{"polluted":true}},"safe":1}');
    expect(Object.prototype.hasOwnProperty.call(nestedObject.level1, "__proto__")).toBe(true);
    expect(nestedObject.level1.__proto__).toEqual(protoValue);
    expect(nestedObject.safe).toBe(1);
    expect(Object.prototype.polluted).toBeUndefined();

    // __proto__ inside array elements (default flags)
    const arrayNested = parse(
      '{"arr":[{"__proto__":{"polluted":true}},{"__proto__":1}],"safe":1}'
    );
    expect(Object.prototype.hasOwnProperty.call(arrayNested.arr[0], "__proto__")).toBe(true);
    expect(Object.prototype.hasOwnProperty.call(arrayNested.arr[1], "__proto__")).toBe(true);
    expect(arrayNested.arr[0].__proto__).toEqual(protoValue);
    expect(arrayNested.arr[1].__proto__).toBe(1);
    expect(arrayNested.safe).toBe(1);
    expect(Object.prototype.polluted).toBeUndefined();

    // Top-level __proto__ with object value using additional parse flags
    const parsedWithFlags = parse(
      '{"__proto__":{"polluted":true},"safe":1}',
      OBJ | STR
    );
    expect(Object.prototype.hasOwnProperty.call(parsedWithFlags, "__proto__")).toBe(true);
    expect(parsedWithFlags.__proto__).toEqual(protoValue);
    expect(parsedWithFlags.safe).toBe(1);
    expect(Object.prototype.polluted).toBeUndefined();
```
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment thread tests/examples.test.js
Comment on lines +25 to +30
const protoValue = { polluted: true };
const parsed = parse('{"__proto__":{"polluted":true},"safe":1}');
expect(Object.prototype.hasOwnProperty.call(parsed, "__proto__")).toBe(true);
expect(parsed.__proto__).toEqual(protoValue);
expect(parsed.safe).toBe(1);
expect(Object.prototype.polluted).toBeUndefined();

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (testing): Add more regression cases around __proto__ to cover nested and non-object values and different parse flags.

Right now this only exercises a top-level __proto__ object value with default flags. Please expand coverage with:

  • A case where __proto__ has a primitive value (e.g. {"__proto__":1,"safe":1}) to confirm it’s treated as a normal key and doesn’t affect the prototype.
  • Nested __proto__ keys (inside child objects and array elements) to ensure behavior is consistent beyond the top level.
  • A variant using the same parse flags under which the original bug reproduced, to verify the fix in that configuration.

This will better guard against any remaining prototype-pollution paths.

Suggested change
const protoValue = { polluted: true };
const parsed = parse('{"__proto__":{"polluted":true},"safe":1}');
expect(Object.prototype.hasOwnProperty.call(parsed, "__proto__")).toBe(true);
expect(parsed.__proto__).toEqual(protoValue);
expect(parsed.safe).toBe(1);
expect(Object.prototype.polluted).toBeUndefined();
const protoValue = { polluted: true };
// Top-level __proto__ with object value (default flags)
const parsed = parse('{"__proto__":{"polluted":true},"safe":1}');
expect(Object.prototype.hasOwnProperty.call(parsed, "__proto__")).toBe(true);
expect(parsed.__proto__).toEqual(protoValue);
expect(parsed.safe).toBe(1);
expect(Object.prototype.polluted).toBeUndefined();
// Top-level __proto__ with primitive value (default flags)
const parsedPrimitive = parse('{"__proto__":1,"safe":1}');
expect(Object.prototype.hasOwnProperty.call(parsedPrimitive, "__proto__")).toBe(true);
expect(parsedPrimitive.__proto__).toBe(1);
expect(parsedPrimitive.safe).toBe(1);
expect(Object.prototype.polluted).toBeUndefined();
// Nested __proto__ inside child object (default flags)
const nestedObject = parse('{"level1":{"__proto__":{"polluted":true}},"safe":1}');
expect(Object.prototype.hasOwnProperty.call(nestedObject.level1, "__proto__")).toBe(true);
expect(nestedObject.level1.__proto__).toEqual(protoValue);
expect(nestedObject.safe).toBe(1);
expect(Object.prototype.polluted).toBeUndefined();
// __proto__ inside array elements (default flags)
const arrayNested = parse(
'{"arr":[{"__proto__":{"polluted":true}},{"__proto__":1}],"safe":1}'
);
expect(Object.prototype.hasOwnProperty.call(arrayNested.arr[0], "__proto__")).toBe(true);
expect(Object.prototype.hasOwnProperty.call(arrayNested.arr[1], "__proto__")).toBe(true);
expect(arrayNested.arr[0].__proto__).toEqual(protoValue);
expect(arrayNested.arr[1].__proto__).toBe(1);
expect(arrayNested.safe).toBe(1);
expect(Object.prototype.polluted).toBeUndefined();
// Top-level __proto__ with object value using additional parse flags
const parsedWithFlags = parse(
'{"__proto__":{"polluted":true},"safe":1}',
OBJ | STR
);
expect(Object.prototype.hasOwnProperty.call(parsedWithFlags, "__proto__")).toBe(true);
expect(parsedWithFlags.__proto__).toEqual(protoValue);
expect(parsedWithFlags.safe).toBe(1);
expect(Object.prototype.polluted).toBeUndefined();

@coderabbitai

coderabbitai Bot commented Jun 13, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@rupayon123, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 24 minutes and 2 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d2817b48-3cf2-47ac-a817-c5d78f9cc1c5

📥 Commits

Reviewing files that changed from the base of the PR and between 0502a65 and c9523fa.

📒 Files selected for processing (2)
  • src/index.ts
  • tests/examples.test.js
📝 Walkthrough

Walkthrough

In src/index.ts, object parsing switches from obj[key] = value to Object.defineProperty(obj, key, { value, writable: true, enumerable: true, configurable: true }). This ensures that keys like __proto__ are stored as own data properties rather than silently mutating Object.prototype. In tests/examples.test.js, a new assertion block parses a __proto__-keyed object, verifies the value is captured correctly, and confirms Object.prototype.polluted stays undefined.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately reflects the primary change: updating object parsing to preserve proto as a normal key using Object.defineProperty.
Description check ✅ Passed The description is clearly related to the changeset, referencing issue #8 and explaining the fix with sufficient detail about the implementation approach.
Linked Issues check ✅ Passed The code changes directly implement the requested solution from issue #8: using Object.defineProperty with proper property descriptors instead of bracket assignment, and adding regression test coverage.
Out of Scope Changes check ✅ Passed All changes are in-scope: the core fix in src/index.ts and the regression test in tests/examples.test.js directly address the proto parsing issue without unrelated modifications.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@rupayon123

Copy link
Copy Markdown
Author

Updated this for the review feedback. The parser now only uses Object.defineProperty for the __proto__ key, so normal keys stay on the assignment path, and the test covers primitive, nested, array, and flagged parse cases.

git diff --check passes. I still can’t run the Vitest suite locally because vitest is not installed in this checkout.

@pkg-pr-new

pkg-pr-new Bot commented Jun 14, 2026

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/partial-json@17

commit: c9523fa

@vercel

vercel Bot commented Jun 14, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
partial-json-coverage Ready Ready Preview, Comment Jun 14, 2026 12:13am

Copy link
Copy Markdown
Author

Closing this in favor of #20, which is the cleaner current version of the same __proto__ fix.

@rupayon123 rupayon123 closed this Jun 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Edge case with proto

1 participant