Skip to content

fix(store): prevent prototype pollution via setStore paths#2683

Merged
ryansolid merged 2 commits into
solidjs:mainfrom
thomasbuilds:prototype-fix
May 14, 2026
Merged

fix(store): prevent prototype pollution via setStore paths#2683
ryansolid merged 2 commits into
solidjs:mainfrom
thomasbuilds:prototype-fix

Conversation

@thomasbuilds
Copy link
Copy Markdown
Contributor

@thomasbuilds thomasbuilds commented Apr 23, 2026

Fixes a prototype-pollution vulnerability in solid-js/store. Any code path that forwards untrusted input into setStore(...), a common pattern for query params, form fields, or JSON bodies, could mutate Object.prototype and affect every object in the runtime.

Reproduction (against main)

import { createStore } from "solid-js/store";
const [state, setState] = createStore({ a: 1 });

setState("__proto__", "polluted", true);
console.log(({}).polluted);        // true  ❌ global pollution

setState("__proto__", { x: true });
console.log(({}).x);               // true  ❌ global pollution

setState("constructor", "prototype", "y", true);
console.log(({}).y);               // true  ❌ global pollution

// Realistic attacker payload:
const evil = JSON.parse('{"__proto__":{"z":true}}');
setState(evil);                    // ❌ redefines the store's prototype

@thomasbuilds
fix(store): prevent prototype pollution via setStore paths
6a86cd3 
Reject writes to `__proto__` in `setProperty` and refuse to traverse
through `__proto__`, `constructor`, and `prototype` in `updatePath`.
This closes a prototype-pollution vector where attacker-controlled
path segments (e.g. from query params, form data, or a JSON payload
merged via `setStore(obj)`) could reach and mutate `Object.prototype`
or `Function.prototype` globally.

Covers all mutation entry points that funnel through `setProperty`:
`createStore` / `setStore`, `createMutable` (proxy set trap),
`produce` (setterTraps), `reconcile`, and `mergeStoreNode`.

Adds regression tests for each reachable pollution path.
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Apr 23, 2026
edited
Loading

🦋 Changeset detected

Latest commit: dad5b06

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages
Name Type
solid-js Patch
test-integration Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@ryansolid ryansolid merged commit 43cbc98 into solidjs:main May 14, 2026
1 check passed
@ryansolid
Copy link
Copy Markdown
Member

ryansolid commented May 14, 2026

thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thomasbuilds @ryansolid