Merge commit from fork

* fix: prototype pollusion on deepCopy

* fix: more test case

* fix: change to `Object.create(null)` from object literal for more safety

Author: kazupon

packages/core-base/src/compilation.ts

@@ -4,6 +4,7 @@ import {
   isBoolean,
   isObject,
   isString,
+  create,
   warn
 } from '@intlify/shared'
 import { format as formatMessage, resolveType } from './format'
@@ -35,7 +36,7 @@ function checkHtmlMessage(source: string, warnHtmlMessage?: boolean): void {
 }
 
 const defaultOnCacheKey = (message: string): string => message
-let compileCache: unknown = Object.create(null)
+let compileCache: unknown = create()
 
 function onCompileWarn(_warn: CompileWarn): void {
   if (_warn.code === CompileWarnCodes.USE_MODULO_SYNTAX) {
@@ -49,7 +50,7 @@ function onCompileWarn(_warn: CompileWarn): void {
 }
 
 export function clearCompileCache(): void {
-  compileCache = Object.create(null)
+  compileCache = create()
 }
 
 export function isMessageAST(val: unknown): val is ResourceNode {

packages/core-base/src/context.ts

@@ -9,6 +9,7 @@ import {
   isFunction,
   isPlainObject,
   assign,
+  create,
   isObject,
   warnOnce
 } from '@intlify/shared'
@@ -510,23 +511,23 @@ export function createCoreContext<Message = string>(options: any = {}): any {
       : _locale
   const messages = isPlainObject(options.messages)
     ? options.messages
-    : { [_locale]: {} }
+    : createResources(_locale)
   const datetimeFormats = !__LITE__
     ? isPlainObject(options.datetimeFormats)
       ? options.datetimeFormats
-      : { [_locale]: {} }
-    : /* #__PURE__*/ { [_locale]: {} }
+      : createResources(_locale)
+    : /* #__PURE__*/ createResources(_locale)
   const numberFormats = !__LITE__
     ? isPlainObject(options.numberFormats)
       ? options.numberFormats
-      : { [_locale]: {} }
-    : /* #__PURE__*/ { [_locale]: {} }
+      : createResources(_locale)
+    : /* #__PURE__*/ createResources(_locale)
   const modifiers = assign(
-    {},
-    options.modifiers || {},
+    create(),
+    options.modifiers,
     getDefaultLinkedModifiers<Message>()
   )
-  const pluralRules = options.pluralRules || {}
+  const pluralRules = options.pluralRules || create()
   const missing = isFunction(options.missing) ? options.missing : null
   const missingWarn =
     isBoolean(options.missingWarn) || isRegExp(options.missingWarn)
@@ -631,6 +632,8 @@ export function createCoreContext<Message = string>(options: any = {}): any {
   return context
 }
 
+const createResources = (locale: Locale) => ({ [locale]: create() })
+
 /** @internal */
 export function isTranslateFallbackWarn(
   fallback: boolean | RegExp,

packages/core-base/src/datetime.ts

@@ -5,6 +5,7 @@ import {
   isDate,
   isNumber,
   isEmptyObject,
+  create,
   assign
 } from '@intlify/shared'
 import {
@@ -323,8 +324,8 @@ export function parseDateTimeArgs(
   ...args: unknown[]
 ): [string, number | Date, DateTimeOptions, Intl.DateTimeFormatOptions] {
   const [arg1, arg2, arg3, arg4] = args
-  const options = {} as DateTimeOptions
-  let overrides = {} as Intl.DateTimeFormatOptions
+  const options = create() as DateTimeOptions
+  let overrides = create() as Intl.DateTimeFormatOptions
 
   let value: number | Date
   if (isString(arg1)) {

packages/core-base/src/number.ts

@@ -4,6 +4,7 @@ import {
   isPlainObject,
   isNumber,
   isEmptyObject,
+  create,
   assign
 } from '@intlify/shared'
 import {
@@ -318,8 +319,8 @@ export function parseNumberArgs(
   ...args: unknown[]
 ): [string, number, NumberOptions, Intl.NumberFormatOptions] {
   const [arg1, arg2, arg3, arg4] = args
-  const options = {} as NumberOptions
-  let overrides = {} as Intl.NumberFormatOptions
+  const options = create() as NumberOptions
+  let overrides = create() as Intl.NumberFormatOptions
 
   if (!isNumber(arg1)) {
     throw createCoreError(CoreErrorCodes.INVALID_ARGUMENT)

packages/core-base/src/runtime.ts

@@ -1,5 +1,6 @@
 import {
   assign,
+  create,
   isNumber,
   isFunction,
   toDisplayString,
@@ -16,10 +17,10 @@ type ExtractToStringKey<T> = Extract<keyof T, 'toString'>
 type ExtractToStringFunction<T> = T[ExtractToStringKey<T>]
 // prettier-ignore
 type StringConvertable<T> = ExtractToStringKey<T> extends never
-	? unknown
-	: ExtractToStringFunction<T> extends (...args: any) => string // eslint-disable-line @typescript-eslint/no-explicit-any
-	  ? T
-	  : unknown
+  ? unknown
+  : ExtractToStringFunction<T> extends (...args: any) => string // eslint-disable-line @typescript-eslint/no-explicit-any
+  ? T
+  : unknown
 
 /** @VueI18nGeneral */
 export type Locale = string
@@ -279,27 +280,27 @@ function pluralDefault(choice: number, choicesLength: number): number {
   if (choicesLength === 2) {
     // prettier-ignore
     return choice
-	    ? choice > 1
-	      ? 1
-	      : 0
-	    : 1
+      ? choice > 1
+        ? 1
+        : 0
+      : 1
   }
   return choice ? Math.min(choice, 2) : 0
 }
 
 function getPluralIndex<T, N>(options: MessageContextOptions<T, N>): number {
   // prettier-ignore
   const index = isNumber(options.pluralIndex)
-	  ? options.pluralIndex
-	  : -1
+    ? options.pluralIndex
+    : -1
   // prettier-ignore
   return options.named && (isNumber(options.named.count) || isNumber(options.named.n))
-	  ? isNumber(options.named.count)
-	    ? options.named.count
-	    : isNumber(options.named.n)
-	      ? options.named.n
-	      : index
-	  : index
+    ? isNumber(options.named.count)
+      ? options.named.count
+      : isNumber(options.named.n)
+        ? options.named.n
+        : index
+    : index
 }
 
 function normalizeNamed(pluralIndex: number, props: PluralizationProps): void {
@@ -336,17 +337,17 @@ export function createMessageContext<T = string, N = {}>(
   const list = (index: number): unknown => _list[index]
 
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  const _named = options.named || ({} as any)
+  const _named = options.named || (create() as any)
   isNumber(options.pluralIndex) && normalizeNamed(pluralIndex, _named)
   const named = (key: string): unknown => _named[key]
 
   function message(key: Path): MessageFunction<T> {
     // prettier-ignore
     const msg = isFunction(options.messages)
-	    ? options.messages(key)
-	    : isObject(options.messages)
-	      ? options.messages[key]
-	      : false
+      ? options.messages(key)
+      : isObject(options.messages)
+        ? options.messages[key]
+        : false
     return !msg
       ? options.parent
         ? options.parent.message(key) // resolve from parent messages
@@ -412,7 +413,7 @@ export function createMessageContext<T = string, N = {}>(
     [HelperNameMap.TYPE]: type,
     [HelperNameMap.INTERPOLATE]: interpolate,
     [HelperNameMap.NORMALIZE]: normalize,
-    [HelperNameMap.VALUES]: assign({}, _list, _named)
+    [HelperNameMap.VALUES]: assign(create(), _list, _named)
   }
 
   return ctx

packages/core-base/src/translate.ts

@@ -14,6 +14,7 @@ import {
   mark,
   measure,
   assign,
+  create,
   isObject
 } from '@intlify/shared'
 import { isMessageAST } from './compilation'
@@ -675,7 +676,7 @@ export function translate<
     : [
         key,
         locale,
-        (messages as unknown as LocaleMessages<Message>)[locale] || {}
+        (messages as unknown as LocaleMessages<Message>)[locale] || create()
       ]
   // NOTE:
   //  Fix to work around `ssrTransfrom` bug in Vite.
@@ -777,14 +778,14 @@ export function translate<
           ? (format as MessageFunctionInternal).key!
           : '',
       locale: targetLocale || (isMessageFunction(format)
-          ? (format as MessageFunctionInternal).locale!
-          : ''),
+        ? (format as MessageFunctionInternal).locale!
+        : ''),
       format:
         isString(format)
-        ? format
-        : isMessageFunction(format)
-          ? (format as MessageFunctionInternal).source!
-          : '',
+          ? format
+          : isMessageFunction(format)
+            ? (format as MessageFunctionInternal).source!
+            : '',
       message: ret as string
     }
     ;(payloads as AdditionalPayloads).meta = assign(
@@ -828,7 +829,7 @@ function resolveMessageFormat<Messages, Message>(
   } = context
   const locales = localeFallbacker(context as any, fallbackLocale, locale) // eslint-disable-line @typescript-eslint/no-explicit-any
 
-  let message: LocaleMessageValue<Message> = {}
+  let message: LocaleMessageValue<Message> = create()
   let targetLocale: Locale | undefined
   let format: PathValue = null
   let from: Locale = locale
@@ -867,7 +868,7 @@ function resolveMessageFormat<Messages, Message>(
     }
 
     message =
-      (messages as unknown as LocaleMessages<Message>)[targetLocale] || {}
+      (messages as unknown as LocaleMessages<Message>)[targetLocale] || create()
 
     // for vue-devtools timeline event
     let start: number | null = null
@@ -1042,7 +1043,7 @@ export function parseTranslateArgs<Message = string>(
   ...args: unknown[]
 ): [Path | MessageFunction<Message> | ResourceNode, TranslateOptions] {
   const [arg1, arg2, arg3] = args
-  const options = {} as TranslateOptions
+  const options = create() as TranslateOptions
 
   if (
     !isString(arg1) &&

packages/shared/src/messages.ts

@@ -1,4 +1,4 @@
-import { isArray, isObject } from './utils'
+import { isArray, isObject, create } from './utils'
 
 const isNotObjectOrIsArray = (val: unknown) => !isObject(val) || isArray(val)
 // eslint-disable-next-line @typescript-eslint/no-explicit-any, @typescript-eslint/explicit-module-boundary-types
@@ -14,10 +14,13 @@ export function deepCopy(src: any, des: any): void {
 
     // using `Object.keys` which skips prototype properties
     Object.keys(src).forEach(key => {
+      if (key === '__proto__') {
+        return
+      }
       // if src[key] is an object/array, set des[key]
       // to empty object/array to prevent setting by reference
       if (isObject(src[key]) && !isObject(des[key])) {
-        des[key] = Array.isArray(src[key]) ? [] : {}
+        des[key] = Array.isArray(src[key]) ? [] : create()
       }
 
       if (isNotObjectOrIsArray(des[key]) || isNotObjectOrIsArray(src[key])) {

packages/shared/src/utils.ts

@@ -81,6 +81,9 @@ export const isEmptyObject = (val: unknown): val is boolean =>
 
 export const assign = Object.assign
 
+const _create = Object.create
+export const create = (obj: object | null = null): object => _create(obj)
+
 let _globalThis: any
 export const getGlobalThis = (): any => {
   // prettier-ignore
@@ -95,7 +98,7 @@ export const getGlobalThis = (): any => {
             ? window
             : typeof global !== 'undefined'
               ? global
-              : {})
+              : create())
   )
 }
 

packages/shared/test/messages.test.ts

@@ -48,3 +48,34 @@ test('deepCopy merges without mutating src argument', () => {
   // should not mutate source object
   expect(msg1).toStrictEqual(copy1)
 })
+
+describe('CVE-2024-52810', () => {
+  test('__proto__', () => {
+    const source = '{ "__proto__": { "pollutedKey": 123 } }'
+    const dest = {}
+
+    deepCopy(JSON.parse(source), dest)
+    expect(dest).toEqual({})
+    // @ts-ignore -- initialize polluted property
+    expect(JSON.parse(JSON.stringify({}.__proto__))).toEqual({})
+  })
+
+  test('nest __proto__', () => {
+    const source = '{ "foo": { "__proto__": { "pollutedKey": 123 } } }'
+    const dest = {}
+
+    deepCopy(JSON.parse(source), dest)
+    expect(dest).toEqual({ foo: {} })
+    // @ts-ignore -- initialize polluted property
+    expect(JSON.parse(JSON.stringify({}.__proto__))).toEqual({})
+  })
+
+  test('constructor prototype', () => {
+    const source = '{ "constructor": { "prototype": { "polluted": 1 } } }'
+    const dest = {}
+
+    deepCopy(JSON.parse(source), dest)
+    // @ts-ignore -- initialize polluted property
+    expect({}.polluted).toBeUndefined()
+  })
+})

packages/vue-i18n-core/src/components/Translation.ts

@@ -1,5 +1,5 @@
 import { h, defineComponent } from 'vue'
-import { isNumber, isString, isObject, assign } from '@intlify/shared'
+import { isNumber, isString, isObject, assign, create } from '@intlify/shared'
 import { TranslateVNodeSymbol } from '../symbols'
 import { useI18n } from '../i18n'
 import { baseFormatProps } from './base'
@@ -59,7 +59,7 @@ export const TranslationImpl = /*#__PURE__*/ defineComponent({
 
     return (): VNodeChild => {
       const keys = Object.keys(slots).filter(key => key !== '_')
-      const options = {} as TranslateOptions
+      const options = create() as TranslateOptions
       if (props.locale) {
         options.locale = props.locale
       }
@@ -73,7 +73,7 @@ export const TranslationImpl = /*#__PURE__*/ defineComponent({
         arg,
         options
       )
-      const assignedAttrs = assign({}, attrs)
+      const assignedAttrs = assign(create(), attrs)
       const tag =
         isString(props.tag) || isObject(props.tag)
           ? props.tag