Template Context Merge

Medium+100 XPA08:2021 Software and Data Integrity FailuresCWE-1321

Prototype Pollution

Scenario

Your template engine merges a trusted base context with a user-supplied context using `Object.assign`.

Because `Object.assign` copies enumerable own properties, an attacker can craft a JSON body whose parsed form contains a `__proto__` string key (via `JSON.parse`) and pollute Object.prototype when that key is then spread.

Template engines that accept user-controlled context objects are a prime vector. A single polluted property can change the rendering behaviour for every subsequent template in the process.

Your Tasks

Before merging, scan every key in `userSupplied` for forbidden names.
Throw `'Prototype pollution detected'` if any key is `__proto__`, `constructor`, or `prototype`.
Return the merged context object for safe inputs.

Examples

Example 1 — Exploit — proto key in userSupplied

buildContext({title:'Home'}, {"__proto__":{"isAdmin":true}})
// throws: 'Prototype pollution detected'

Example 2 — Safe — normal context merge

buildContext({title:'Home'}, {user:'alice'})
// returns: {title:'Home', user:'alice'}

Constraints

›Throw exactly `'Prototype pollution detected'` on any forbidden key.
›Only top-level keys need to be checked for this challenge.
›Return the merged result — do not mutate `base`; create a new object.

Hint

References

https://owasp.org/www-project-top-ten/2021/A08_2021-Software_and_Data_Integrity_Failures https://cwe.mitre.org/data/definitions/1321.html

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run