fix: prevent prototype pollution in MO/PO parsers and headers

smhg · smhg · commit 297db4bb4bd0 · 2026-03-15T20:06:05.000+01:00
diff --git a/lib/moparser.js b/lib/moparser.js
@@ -163,11 +163,11 @@ Parser.prototype._addString = function (msgid, msgstr) {
   msgstr = msgstr.split('\u0000');
   translation.msgstr = [].concat(msgstr || []);
 
-  if (!this._table.translations[msgctxt]) {
-    this._table.translations[msgctxt] = {};
+  if (!Object.hasOwn(this._table.translations, msgctxt)) {
+    Object.defineProperty(this._table.translations, msgctxt, { value: {}, writable: true, enumerable: true, configurable: true });
   }
 
-  this._table.translations[msgctxt][msgid] = translation;
+  Object.defineProperty(this._table.translations[msgctxt], msgid, { value: translation, writable: true, enumerable: true, configurable: true });
 };
 
 /**
diff --git a/lib/poparser.js b/lib/poparser.js
@@ -464,19 +464,19 @@ Parser.prototype._normalize = function (tokens) {
         table.obsolete = {};
       }
 
-      if (!table.obsolete[msgctxt]) {
-        table.obsolete[msgctxt] = {};
+      if (!Object.hasOwn(table.obsolete, msgctxt)) {
+        Object.defineProperty(table.obsolete, msgctxt, { value: {}, writable: true, enumerable: true, configurable: true });
       }
 
       delete tokens[i].obsolete;
 
-      table.obsolete[msgctxt][tokens[i].msgid] = tokens[i];
+      Object.defineProperty(table.obsolete[msgctxt], tokens[i].msgid, { value: tokens[i], writable: true, enumerable: true, configurable: true });
 
       continue;
     }
 
-    if (!table.translations[msgctxt]) {
-      table.translations[msgctxt] = {};
+    if (!Object.hasOwn(table.translations, msgctxt)) {
+      Object.defineProperty(table.translations, msgctxt, { value: {}, writable: true, enumerable: true, configurable: true });
     }
 
     if (!table.headers && !msgctxt && !tokens[i].msgid) {
@@ -486,7 +486,7 @@ Parser.prototype._normalize = function (tokens) {
 
     this._validateToken(tokens[i], table.translations, msgctxt, nplurals);
 
-    table.translations[msgctxt][tokens[i].msgid] = tokens[i];
+    Object.defineProperty(table.translations[msgctxt], tokens[i].msgid, { value: tokens[i], writable: true, enumerable: true, configurable: true });
   }
 
   return table;
diff --git a/lib/shared.js b/lib/shared.js
@@ -32,7 +32,7 @@ export function parseHeader (str = '') {
 
         key = HEADERS.get(key.toLowerCase()) || key;
 
-        headers[key] = value;
+        Object.defineProperty(headers, key, { value, writable: true, enumerable: true, configurable: true });
       }
 
       return headers;
diff --git a/test/po-parser-test.js b/test/po-parser-test.js
@@ -240,4 +240,15 @@ describe('PO Parser', () => {
       });
     });
   });
+
+  describe('prototype pollution', () => {
+    it('should not pollute Object.prototype via msgctxt', () => {
+      const po = 'msgctxt "__proto__"\nmsgid "polluted"\nmsgstr "yes"\n';
+
+      gettextParser.po.parse(po);
+
+      assert.strictEqual({}.polluted, undefined, 'Object.prototype should not be polluted');
+      assert.strictEqual(({}).polluted, undefined, 'Object.prototype should not be polluted');
+    });
+  });
 });

Original file line number	Diff line number	Diff line change
`@@ -464,19 +464,19 @@ Parser.prototype._normalize = function (tokens) {`
`464`	`464`	`table.obsolete = {};`
`465`	`465`	`}`
`466`	`466`
`467`		`- if (!table.obsolete[msgctxt]) {`
`468`		`- table.obsolete[msgctxt] = {};`
	`467`	`+ if (!Object.hasOwn(table.obsolete, msgctxt)) {`
	`468`	`+ Object.defineProperty(table.obsolete, msgctxt, { value: {}, writable: true, enumerable: true, configurable: true });`
`469`	`469`	`}`
`470`	`470`
`471`	`471`	`delete tokens[i].obsolete;`
`472`	`472`
`473`		`- table.obsolete[msgctxt][tokens[i].msgid] = tokens[i];`
	`473`	`+ Object.defineProperty(table.obsolete[msgctxt], tokens[i].msgid, { value: tokens[i], writable: true, enumerable: true, configurable: true });`
`474`	`474`
`475`	`475`	`continue;`
`476`	`476`	`}`
`477`	`477`
`478`		`- if (!table.translations[msgctxt]) {`
`479`		`- table.translations[msgctxt] = {};`
	`478`	`+ if (!Object.hasOwn(table.translations, msgctxt)) {`
	`479`	`+ Object.defineProperty(table.translations, msgctxt, { value: {}, writable: true, enumerable: true, configurable: true });`
`480`	`480`	`}`
`481`	`481`
`482`	`482`	`if (!table.headers && !msgctxt && !tokens[i].msgid) {`
`@@ -486,7 +486,7 @@ Parser.prototype._normalize = function (tokens) {`
`486`	`486`
`487`	`487`	`this._validateToken(tokens[i], table.translations, msgctxt, nplurals);`
`488`	`488`
`489`		`- table.translations[msgctxt][tokens[i].msgid] = tokens[i];`
	`489`	`+ Object.defineProperty(table.translations[msgctxt], tokens[i].msgid, { value: tokens[i], writable: true, enumerable: true, configurable: true });`
`490`	`490`	`}`
`491`	`491`
`492`	`492`	`return table;`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ export function parseHeader (str = '') {`
`32`	`32`
`33`	`33`	`key = HEADERS.get(key.toLowerCase()) \|\| key;`
`34`	`34`
`35`		`- headers[key] = value;`
	`35`	`+ Object.defineProperty(headers, key, { value, writable: true, enumerable: true, configurable: true });`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`return headers;`