Reworked deepmerge's prototype pollution check to use Object.prototype.hasOwnProperty

Author: tjcouch-sil

packages/mui-utils/src/deepmerge/deepmerge.test.ts

@@ -34,6 +34,18 @@ describe('deepmerge', () => {
     expect({}).not.to.have.property('isAdmin');
   });
 
+  it('should appropriately copy the fields without prototype pollution', () => {
+    const result = deepmerge(
+      {},
+      JSON.parse('{ "myProperty": "a", "__proto__" : { "isAdmin" : true } }'),
+    );
+
+    // @ts-expect-error __proto__ is not on this object type
+    // eslint-disable-next-line no-proto
+    expect(result.__proto__).to.have.property('isAdmin');
+    expect({}).not.to.have.property('isAdmin');
+  })
+
   it('should merge objects across realms', function test() {
     if (!/jsdom/.test(window.navigator.userAgent)) {
       // vm is only available in Node.js.

packages/mui-utils/src/deepmerge/deepmerge.ts

@@ -41,12 +41,12 @@ export default function deepmerge<T>(
 
   if (isPlainObject(target) && isPlainObject(source)) {
     Object.keys(source).forEach((key) => {
-      // Avoid prototype pollution
-      if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
-        return;
-      }
-
-      if (isPlainObject(source[key]) && key in target && isPlainObject(target[key])) {
+      if (
+        isPlainObject(source[key]) &&
+        // Avoid prototype pollution
+        Object.prototype.hasOwnProperty.call(target, key) &&
+        isPlainObject(target[key])
+      ) {
         // Since `output` is a clone of `target` and we have narrowed `target` in this block we can cast to the same type.
         (output as Record<keyof any, unknown>)[key] = deepmerge(target[key], source[key], options);
       } else if (options.clone) {