fix: block forbidden keys in Queryable setter to prevent prototype pollution

12122J · claude · owlstronaut · commit 080e3b29e69d · 2026-05-28T08:50:23.000-07:00
Sanitize __proto__, constructor, and prototype keys in the setKeys
function to prevent prototype pollution via npm pkg set. Previously,
passing __proto__.scripts.postinstall as a key would pollute
Object.prototype, causing @npmcli/package-json to write inherited
properties to disk and enabling RCE on next npm install.

Fixes GHSA-jjm5-4238-9vmw

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/lib/utils/queryable.js b/lib/utils/queryable.js
@@ -2,6 +2,8 @@ const util = require('node:util')
 const _delete = Symbol('delete')
 const _append = Symbol('append')
 
+const FORBIDDEN_KEYS = new Set(['__proto__', 'constructor', 'prototype'])
+
 const sqBracketsMatcher = str => str.match(/(.+)\[([^\]]+)\]\.?(.*)$/)
 
 // replaces any occurrence of an empty-brackets (e.g: []) with a special Symbol(append) to represent it
@@ -122,6 +124,9 @@ const setter = ({ data, key, value, force }) => {
   // e.g: ['foo', 'bar', 'baz'] -> { foo: { bar: { baz:  {} } }
   const keys = parseKeys(key)
   const setKeys = (_data, _key) => {
+    if (FORBIDDEN_KEYS.has(String(_key))) {
+      throw Object.assign(new Error(`Forbidden key: "${_key}"`), { code: 'EFORBIDDENKEY' })
+    }
     // handles array indexes, converting valid integers to numbers
     // note that occurrences of Symbol(append) will throw so we just ignore these for now
     let maybeIndex = Number.NaN
diff --git a/test/lib/utils/queryable.js b/test/lib/utils/queryable.js
@@ -963,3 +963,42 @@ t.test('bracket lovers', async t => {
     'any top-level item cannot be parsed with square bracket notation'
   )
 })
+
+t.test('forbidden keys', async t => {
+  // defensive cleanup in case any assertion below unexpectedly mutates the prototype
+  t.teardown(() => {
+    delete Object.prototype.scripts
+    delete Object.prototype.polluted
+  })
+
+  for (const key of ['__proto__', 'constructor', 'prototype']) {
+    t.throws(
+      () => new Queryable({ name: 'demo' }).set(`${key}.scripts.postinstall`, 'cmd'),
+      { code: 'EFORBIDDENKEY' },
+      `should throw EFORBIDDENKEY when '${key}' is used as a top-level key`
+    )
+  }
+
+  t.throws(
+    () => new Queryable({}).set('a.__proto__.scripts.postinstall', 'cmd'),
+    { code: 'EFORBIDDENKEY' },
+    'should throw when __proto__ appears nested in a dotted path'
+  )
+
+  t.throws(
+    () => new Queryable({}).set('foo[__proto__].scripts.postinstall', 'cmd'),
+    { code: 'EFORBIDDENKEY' },
+    'should throw when __proto__ is used via square bracket notation'
+  )
+
+  t.throws(
+    () => new Queryable({ scripts: { postinstall: 'x' } }).delete('__proto__.scripts'),
+    { code: 'EFORBIDDENKEY' },
+    'should block forbidden keys via delete() as well as set()'
+  )
+
+  t.notOk(
+    Object.prototype.scripts,
+    'Object.prototype must not be polluted by any forbidden-key attempt'
+  )
+})
