fix: use safe property assignment in deepMergeSimple (#16271)

# Overview

`deepMergeSimple` was not guarding against certain special keys that can
trigger inherited setters, causing unexpected behavior on the returned
object. Fixed by skipping those keys.

## Key Changes

Added an early `continue` for `__proto__`, `constructor`, and
`prototype` in both copies of `deepMergeSimple` (`packages/translations`
and `packages/ui`)

## Design Decisions

Benchmarked this against `Object.defineProperty`, blocklist adds
negligible overhead, `Object.defineProperty` was ~5-9x slower. Blocklist
is also the standard approach used by lodash and others.

Author: PatrikKozak

packages/translations/src/utilities/deepMergeSimple.spec.ts

@@ -0,0 +1,48 @@
+import { describe, expect, it } from 'vitest'
+
+import { deepMergeSimple } from './deepMergeSimple.js'
+
+describe('deepMergeSimple', () => {
+  it('should merge two flat objects', () => {
+    const result = deepMergeSimple({ a: 1 }, { b: 2 })
+    expect(result).toEqual({ a: 1, b: 2 })
+  })
+
+  it('should let obj2 override obj1 keys', () => {
+    const result = deepMergeSimple({ a: 1 }, { a: 2 })
+    expect(result).toEqual({ a: 2 })
+  })
+
+  it('should recursively merge nested objects', () => {
+    const result = deepMergeSimple({ a: { b: 1, c: 2 } }, { a: { c: 3, d: 4 } })
+    expect(result).toEqual({ a: { b: 1, c: 3, d: 4 } })
+  })
+
+  it('should not mutate the input objects', () => {
+    const obj1 = { a: 1 }
+    const obj2 = { b: 2 }
+    deepMergeSimple(obj1, obj2)
+    expect(obj1).toEqual({ a: 1 })
+    expect(obj2).toEqual({ b: 2 })
+  })
+
+  it('should not pollute global Object.prototype via __proto__', () => {
+    const malicious = JSON.parse('{"__proto__": {"isAdmin": true}}')
+    deepMergeSimple({}, malicious)
+    expect(({} as any).isAdmin).toBeUndefined()
+  })
+
+  it('should not hijack the returned object prototype via __proto__', () => {
+    const malicious = JSON.parse('{"__proto__": {"isAdmin": true}}')
+    const result = deepMergeSimple({}, malicious) as any
+    expect(result.isAdmin).toBeUndefined()
+  })
+
+  it('should not hijack prototype via nested __proto__ key', () => {
+    const malicious = JSON.parse('{"a": {"__proto__": {"isAdmin": true}}}')
+    const base = { a: {} }
+    const result = deepMergeSimple(base, malicious) as any
+    expect(result.a.isAdmin).toBeUndefined()
+    expect(({} as any).isAdmin).toBeUndefined()
+  })
+})

packages/translations/src/utilities/deepMergeSimple.ts

@@ -12,6 +12,9 @@ export function deepMergeSimple<T = object>(obj1: object, obj2: object): T {
   const output = { ...obj1 }
 
   for (const key in obj2) {
+    if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
+      continue
+    }
     if (Object.prototype.hasOwnProperty.call(obj2, key)) {
       // @ts-expect-error - vestiges of when tsconfig was not strict. Feel free to improve
       if (typeof obj2[key] === 'object' && !Array.isArray(obj2[key]) && obj1[key]) {

packages/ui/src/utilities/deepMerge.ts

@@ -5,13 +5,18 @@
  *
  * obj2 takes precedence over obj1 - thus if obj2 has a key that obj1 also has, obj2's value will be used.
  *
+ * NOTE: This must remain a 1:1 copy of `deepMergeSimple` in `@payloadcms/translations/utilities`.
+ *
  * @param obj1 base object
  * @param obj2 object to merge "into" obj1
  */
 export function deepMergeSimple<T = object>(obj1: object, obj2: object): T {
   const output = { ...obj1 }
 
   for (const key in obj2) {
+    if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
+      continue
+    }
     if (Object.prototype.hasOwnProperty.call(obj2, key)) {
       if (typeof obj2[key] === 'object' && !Array.isArray(obj2[key]) && obj1[key]) {
         output[key] = deepMergeSimple(obj1[key], obj2[key])