fix(core): sanitize object keys in deepCopy to prevent prototype pollution

XananasX7 · web-flow · commit 75abf38d5220 · 2026-04-24T14:38:59.000+01:00
This patch addresses a critical Prototype Pollution vulnerability in the deepCopy utility. By blocking sensitive keys such as __proto__, constructor, and prototype during recursive cloning, we prevent attackers from polluting the global Object.prototype via malicious configuration files (e.g., angular.json). This fix directly mitigates the RCE risk reported in Google Issue Tracker #506079652.
diff --git a/packages/angular_devkit/core/src/utils/object.ts b/packages/angular_devkit/core/src/utils/object.ts
@@ -30,11 +30,18 @@ export function deepCopy<T>(value: T): T {
 
     const copy = Object.create(Object.getPrototypeOf(valueCasted));
     valueCasted[copySymbol] = copy;
+
     for (const key of Object.getOwnPropertyNames(valueCasted)) {
+      // 🛡️ SECURITY CHECK FIRST: Block prototype pollution keys
+      if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
+        continue;
+      }
+      
+      // Now it is safe to copy
       copy[key] = deepCopy(valueCasted[key]);
     }
+    
     delete valueCasted[copySymbol];
-
     return copy;
   } else {
     return value;
