fix: Prototype Pollution vulnerability in SingleInstanceStateController.initializeState (GHSA-9g8m-v378-pcg3)

[Moumouls]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

Issue

Closes: GHSA-9g8m-v378-pcg3

Approach

Use Object create null

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)

Summary by CodeRabbit

• New Features
  • Added capability to remove and return per-object state.
• Refactor
  • Reworked state storage to use prototype-free objects for improved safety and reliability.
  • Adjusted internal logic to align with the new state structures.
• Tests
  • Expanded test coverage for edge cases involving unusual class names and IDs.
• Style
  • Standardized import and string literal quotes for consistency.

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Prototype-safe state storage was introduced by replacing {} with Object.create(null) in SingleInstanceStateController and adding a new exported removeState(obj) API. Related tests for prototype pollution scenarios were added. Two other files received quote/style-only changes without behavior modifications.

Changes

Cohort / File(s)	What changed
Prototype-safe state storage & API src/SingleInstanceStateController.ts	Switched all state containers/maps to prototype-free objects via Object.create(null); adjusted init/clear paths accordingly; added exported removeState(obj): State | null; minor formatting and import-quote updates.
Prototype pollution tests src/__tests__/SingleInstanceStateController-test.js	Added tests covering pollution attempts via className/id like "proto", "constructor", "prototype"; validated safe initialization, storage, retrieval, and cleanup behaviors.
Formatting only src/LocalDatastoreController.default.ts, src/ObjectStateMutations.ts	Quote/style normalization (single→double quotes), minor reflow; no behavioral changes.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Caller
  participant StateCtrl as SingleInstanceStateController
  participant Store as objectState (prototype-free)

  rect rgb(235, 245, 255)
  note right of Store: All maps use Object.create(null)
  Caller->>StateCtrl: getState(obj)
  StateCtrl->>Store: ensure className/id containers
  Store-->>StateCtrl: State (created if missing)
  StateCtrl-->>Caller: State
  end

  rect rgb(240, 250, 240)
  Caller->>StateCtrl: removeState(obj)
  StateCtrl->>Store: delete state for className/id
  Store-->>StateCtrl: Removed State or null
  StateCtrl-->>Caller: State \| null
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 7.14% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	The description follows the repository template by including the Pull Request header, the linked advisory in the Issue section, a concise Approach, and completed Tasks, satisfying the required sections and structure.
Title Check	✅ Passed	The title succinctly identifies the primary change by specifying a fix for a prototype pollution vulnerability in SingleInstanceStateController.initializeState and includes the relevant advisory identifier, matching the pull request’s main objective. It is clear and specific enough for a teammate to understand the core update without extraneous details. The conventional “fix:” prefix further clarifies the nature of the change.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (4a47f65) to head (8cbe1fb).

Additional details and impacted files

@@            Coverage Diff            @@
##             alpha     #2745   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           63        63           
  Lines         6185      6185           
  Branches      1456      1456           
=========================================
  Hits          6185      6185           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Moumouls]

@mtrezza ready to review

[mtrezza]

@Moumouls Could you please check the failing types job?