fix: prevent prototype pollution via __proto__

[kricsleo]

Resolves #155

Problem

When merging untrusted input (e.g. a parsed JSON request body) as the first argument to defu, a crafted __proto__ key can pollute the resulting object's prototype:

const userInput = JSON.parse('{"__proto__":{"isAdmin":true}}');
const config = defu(userInput, { isAdmin: false });

config.isAdmin; // true — attacker overrides the server default

This affects any application that passes unsanitized user input (HTTP request bodies, database records, config files from untrusted sources) into defu to merge with safe defaults.

Cause

Object.assign({}, defaults) triggers the __proto__ setter, replacing the object's prototype with attacker-controlled values. Properties inherited from the polluted prototype bypass the existing __proto__ key guard in the for...in loop.

Fix

Replace Object.assign({}, defaults) with object spread ({ ...defaults }), which uses [[DefineOwnProperty]] and does not invoke the __proto__ setter.

Summary by CodeRabbit

• Tests
  • Enhanced security testing to prevent prototype pollution vulnerabilities.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: afc319aa-4937-43a7-87c8-6b8b611160ad

📥 Commits

Reviewing files that changed from the base of the PR and between 70aa604 and 0493ab8.

📒 Files selected for processing (2)

• src/defu.ts
• test/defu.test.ts

✅ Files skipped from review due to trivial changes (1)

• src/defu.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• test/defu.test.ts

---

📝 Walkthrough

Walkthrough

Replaced Object.assign-based initialization with object spread when creating the merge target and extended tests to assert that a __proto__ payload does not override provided defaults.

Changes

Cohort / File(s)	Summary
Core merge logic src/defu.ts	Replaced Object.assign({}, defaults) with { ...defaults } when initializing the working target object used by the merge routine.
Tests test/defu.test.ts	Added a test case that passes a {"__proto__":{"isAdmin":true}} payload to defu and asserts the returned result retains the supplied default (isAdmin: false), extending prototype-pollution coverage.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through keys both old and new,

I spread the defaults, fixed a view,
A tiny test to guard the gate,
No sneaky proto can infiltrate,
Hooray for checks — a safer state! 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: prevent prototype pollution via __proto__ in defaults' accurately describes the main change: fixing a prototype pollution vulnerability by modifying how the defaults argument is handled.
Linked Issues check	✅ Passed	The PR addresses issue #155 by replacing Object.assign({}, defaults) with object spread ({ ...defaults}), which prevents the proto setter from being invoked and blocks prototype pollution via the defaults argument.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the prototype pollution vulnerability: the implementation change uses object spread instead of Object.assign, and the test addition validates the proto attack vector is now blocked.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (70cffe5) to head (5767f6f).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##             main      #156       +/-   ##
============================================
+ Coverage   45.73%   100.00%   +54.26%     
============================================
  Files           4         2        -2     
  Lines         223        46      -177     
  Branches       35        18       -17     
============================================
- Hits          102        46       -56     
+ Misses        119         0      -119     
+ Partials        2         0        -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.