From bb5c5a2129c99126558d687d4c9c098beb231bc3 Mon Sep 17 00:00:00 2001
From: Eli Polonsky <Eli.polonsky@gmail.com>
Date: Wed, 18 Dec 2024 11:00:10 +0200
Subject: [PATCH] fix: use maps instead of literals in `configureCategories`
 (#1598)

Following guidance from
[here](https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html#use-new-set-or-new-map).

---

By submitting this pull request, I confirm that my contribution is made
under the terms of the [Apache 2.0 license].

[Apache 2.0 license]: https://www.apache.org/licenses/LICENSE-2.0

(cherry picked from commit e7089ad9d257bc19899c5b12abeaff8389a58ee8)
---
 src/jsii-diagnostic.ts       | 11 ++++++-----
 test/jsii-diagnostic.test.ts |  6 ++++++
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/jsii-diagnostic.ts b/src/jsii-diagnostic.ts
index bf9e6087..d60a1892 100644
--- a/src/jsii-diagnostic.ts
+++ b/src/jsii-diagnostic.ts
@@ -86,13 +86,13 @@ export class Code<T extends DiagnosticMessageFormatter = DiagnosticMessageFormat
    */
   public static lookup(codeOrName: string | number): Code | undefined {
     if (typeof codeOrName === 'number') {
-      return this.byCode[codeOrName];
+      return this.byCode.get(codeOrName);
     }
-    return this.byName[codeOrName];
+    return this.byName.get(codeOrName);
   }
 
-  private static readonly byCode: { [code: number]: Code } = {};
-  private static readonly byName: { [name: string]: Code } = {};
+  private static readonly byCode: Map<number, Code> = new Map();
+  private static readonly byName: Map<string, Code> = new Map();
 
   // eslint-disable-next-line @typescript-eslint/explicit-member-accessibility
   readonly #defaultCategory: ts.DiagnosticCategory;
@@ -126,7 +126,8 @@ export class Code<T extends DiagnosticMessageFormatter = DiagnosticMessageFormat
     if (name in Code.byName) {
       throw new Error(`Attempted to create two instances of ${this.constructor.name} with name ${name}`);
     }
-    Code.byCode[code] = Code.byName[name] = this;
+    Code.byCode.set(code, this);
+    Code.byName.set(name, this);
   }
 
   /**
diff --git a/test/jsii-diagnostic.test.ts b/test/jsii-diagnostic.test.ts
index 004cf775..93da90d5 100644
--- a/test/jsii-diagnostic.test.ts
+++ b/test/jsii-diagnostic.test.ts
@@ -9,6 +9,12 @@ describe('jsii diagnostics', () => {
       code.category = DiagnosticCategory.Suggestion;
     });
 
+    test('throws on __proto__ key', () => {
+      expect(() => configureCategories(JSON.parse('{"__proto__":{"pollutedKey":123}}'))).toThrow(
+        `Unrecognized diagnostic code '__proto__'`,
+      );
+    });
+
     test('diagnostic by name', () => {
       configureCategories({
         'metadata/package-json-missing-description': DiagnosticCategory.Error,