fix(encoding/jsonc): avoid prototype pollution in Node.js and Browser (#3077)

encoding/jsonc.ts

@@ -271,7 +271,12 @@ class JSONCParser {
       }
 
       const token3 = this.#getNext();
-      target[key] = this.#parseJSONValue(token3);
+      Object.defineProperty(target, key, {
+        value: this.#parseJSONValue(token3),
+        writable: true,
+        enumerable: true,
+        configurable: true,
+      });
 
       const token4 = this.#getNext();
       if (token4.type === tokenType.endObject) {

encoding/jsonc_test.ts

@@ -2,6 +2,7 @@
 
 import * as JSONC from "./jsonc.ts";
 import {
+  assert,
   assertEquals,
   assertStrictEquals,
   assertThrows,
@@ -171,3 +172,31 @@ Deno.test({
     assertValidParse('  ["foo\\\\\\\\", "bar"]', ["foo\\\\", "bar"]);
   },
 });
+
+Deno.test({
+  name: "[jsonc] use Object.defineProperty when setting object property",
+  async fn() {
+    // Tests if the value is set using `Object.defineProperty(target, key, {value})`
+    // instead of `target[key] = value` when parsing the object.
+    // This makes a difference in behavior when __proto__ is set in Node.js and browsers.
+    // Using `Object.defineProperty` avoids prototype pollution in Node.js and browsers.
+    // reference: https://github.com/advisories/GHSA-9c47-m6qq-7p4h (CVE-2022-46175)
+
+    const testCode = `
+      Object.defineProperty(Object.prototype, "__proto__", {
+        set() {
+          throw new Error("Don't try to set the value directly to the key __proto__.")
+        }
+      });
+      import { parse } from "${import.meta.resolve("./jsonc.ts")}";
+      parse('{"__proto__": {"isAdmin": true}}');
+    `;
+    const command = new Deno.Command(Deno.execPath(), {
+      stdout: "inherit",
+      stderr: "inherit",
+      args: ["eval", testCode],
+    });
+    const { success } = await command.output();
+    assert(success);
+  },
+});