Add createRecord helper for prototype-less objects

steida · steida · commit adfd6af017c4 · 2025-11-23T15:31:19.000+01:00
diff --git a/.changeset/cold-nails-wink.md b/.changeset/cold-nails-wink.md
@@ -0,0 +1,6 @@
+"@evolu/common": patch
+
+Add a typed helper `createRecord` for safely creating prototype-less
+`Record<K, V>` instances (via `Object.create(null)`). This prevents
+prototype pollution and accidental key collisions for object keys that come
+from external sources, like database column names.
diff --git a/packages/common/src/Object.ts b/packages/common/src/Object.ts
@@ -31,7 +31,7 @@ type StringKeyOf<T> = Extract<keyof T, string>;
  *
  * ```ts
  * type UserId = string & { readonly __brand: "UserId" };
- * const users: Record<UserId, string> = {};
+ * const users = createRecord<UserId, string>();
  * const entries = objectToEntries(users); // [UserId, string][]
  * ```
  */
@@ -70,3 +70,22 @@ export const excludeProp = <T extends object, K extends keyof T>(
   const { [prop]: _, ...rest } = obj;
   return rest;
 };
+
+/**
+ * Creates a prototype-less object typed as `Record<K, V>`.
+ *
+ * Use this function when you need a plain record without a prototype chain
+ * (e.g. when keys are controlled by external sources) to avoid prototype
+ * pollution and accidental collisions with properties like `__proto__`.
+ *
+ * Example:
+ *
+ * ```ts
+ * const values = createRecord<string, SqliteValue>();
+ * values["__proto__"] = someValue; // safe, no prototype pollution
+ * ```
+ */
+export const createRecord = <K extends string = string, V = unknown>(): Record<
+  K,
+  V
+> => Object.create(null) as Record<K, V>;
diff --git a/packages/common/src/local-first/Diff.ts b/packages/common/src/local-first/Diff.ts
@@ -1,5 +1,5 @@
 import { createRandomBytes } from "../Crypto.js";
-import { isPlainObject, ReadonlyRecord } from "../Object.js";
+import { createRecord, isPlainObject, ReadonlyRecord } from "../Object.js";
 import { orderUint8Array } from "../Order.js";
 import { SqliteValue } from "../Sqlite.js";
 import { createId, String } from "../Type.js";
@@ -136,7 +136,7 @@ const parse = (obj: unknown): unknown => {
 const parseObject = (
   obj: ReadonlyRecord<string, unknown>,
 ): ReadonlyRecord<string, unknown> => {
-  const result = Object.create(null) as Record<string, unknown>;
+  const result = createRecord();
   for (const key in obj) {
     result[key] = parse(obj[key]);
   }
diff --git a/packages/common/src/local-first/Protocol.ts b/packages/common/src/local-first/Protocol.ts
@@ -198,7 +198,7 @@ import {
 } from "../Crypto.js";
 import { eqArrayNumber } from "../Eq.js";
 import { computeBalancedBuckets } from "../Number.js";
-import { objectToEntries } from "../Object.js";
+import { createRecord, objectToEntries } from "../Object.js";
 import { err, ok, Result } from "../Result.js";
 import { SqliteValue } from "../Sqlite.js";
 import {
@@ -221,8 +221,8 @@ import {
 } from "../Type.js";
 import { Predicate } from "../Types.js";
 import {
-  OwnerError,
   Owner,
+  OwnerError,
   OwnerId,
   OwnerIdBytes,
   ownerIdToOwnerIdBytes,
@@ -1816,7 +1816,7 @@ export const decryptAndDecodeDbChange =
       const id = decodeId(buffer);
 
       const length = decodeLength(buffer);
-      const values = Object.create(null) as Record<string, SqliteValue>;
+      const values = createRecord<string, SqliteValue>();
 
       for (let i = 0; i < length; i++) {
         const column = decodeString(buffer);
diff --git a/packages/common/src/local-first/Sync.ts b/packages/common/src/local-first/Sync.ts
@@ -15,7 +15,7 @@ import {
 import { eqArrayNumber } from "../Eq.js";
 import { createTransferableError, TransferableError } from "../Error.js";
 import { constFalse, constTrue } from "../Function.js";
-import { objectToEntries } from "../Object.js";
+import { createRecord, objectToEntries } from "../Object.js";
 import { RandomDep } from "../Random.js";
 import { createResources } from "../Resources.js";
 import { err, ok, Result } from "../Result.js";
@@ -581,7 +581,7 @@ const createClientStorage =
         assert(rows.length > 0, "Rows must not be empty");
 
         const { table, id } = rows[0];
-        const values: Record<string, SqliteValue> = {};
+        const values = createRecord<string, SqliteValue>();
         let isInsert = false;
         let isDelete: boolean | null = null;
 
diff --git a/packages/common/test/Object.test.ts b/packages/common/test/Object.test.ts
@@ -1,9 +1,20 @@
 import { expect, test } from "vitest";
-import { isPlainObject } from "../src/Object.js";
+import { createRecord, isPlainObject } from "../src/Object.js";
 
 test("isPlainObject", () => {
   expect(isPlainObject({})).toBe(true);
   expect(isPlainObject(new Date())).toBe(false);
   expect(isPlainObject([])).toBe(false);
   expect(isPlainObject(null)).toBe(false);
 });
+
+test("createRecord", () => {
+  const values = createRecord<string, number>();
+  values.__proto__ = 123;
+
+  expect(values.__proto__).toBe(123);
+
+  // Ensure Object.prototype was not changed
+  const protoValue = (Object.prototype as any).__proto__;
+  expect((Object.prototype as any).__proto__).toBe(protoValue);
+});
