Update isSafeDynamicKey and JSDoc for readability, add prototype to blocklist

MajorLift · MajorLift · commit 4d634eaf77f8 · 2024-03-14T16:22:32.000-04:00
diff --git a/packages/controller-utils/jest.config.js b/packages/controller-utils/jest.config.js
@@ -19,7 +19,7 @@ module.exports = merge(baseConfig, {
     global: {
       branches: 77.65,
       functions: 81.25,
-      lines: 86.87,
+      lines: 86.53,
       statements: 86.74,
     },
   },
diff --git a/packages/controller-utils/src/util.ts b/packages/controller-utils/src/util.ts
@@ -16,17 +16,23 @@ import { MAX_SAFE_CHAIN_ID } from './constants';
 
 const TIMEOUT_ERROR = new Error('timeout');
 
-const PROTOTYPE_POLLUTION_BLOCKLIST = ['__proto__', 'constructor'] as const;
+const PROTOTYPE_POLLUTION_BLOCKLIST = [
+  '__proto__',
+  'constructor',
+  'prototype',
+] as const;
 
 /**
- * Checks whether a dynamic string used as an object property key
- * could be used in a prototype pollution attack.
+ * Checks whether a dynamic property key could be used in
+ * a [prototype pollution attack](https://portswigger.net/web-security/prototype-pollution).
  *
- * @param key - The dynamic key to check for safety.
- * @returns Whether the given dyanmic key is safe to use.
+ * @param key - The dynamic key to validate.
+ * @returns Whether the given dynamic key is safe to use.
  */
 export function isSafeDynamicKey(key: string): boolean {
-  return PROTOTYPE_POLLUTION_BLOCKLIST.every((badInput) => key !== badInput);
+  return !PROTOTYPE_POLLUTION_BLOCKLIST.some(
+    (blockedKey) => key === blockedKey,
+  );
 }
 
 /**
