[utils] Prevent prototype pollution in fastDeepAssign by Janpot · Pull Request #48580 · mui/material-ui (original) (raw)

JSON.parse creates a literal __proto__ own property without triggering the prototype setter. for (const key in source) enumerates that key, and target[key] = ... then triggers the setter on Object.prototype, polluting the global prototype. This affects every consumer of unstable_fastDeepAssign (the merge used by sx, compose, and breakpoints in @mui/system), where the source object can be application-provided at runtime.

Skip __proto__, constructor, and prototype in mergeObject and cloneObject. Adds regression tests.