Fix __proto__ property emit

The `__proto__` property is a special use case. It can be defined as a
computed property in an object expression, or via `defineProperty`. If
it’s assigned via a non-computed property in an object expression or via
a regular property assignment, even computed, this sets the prototype of
the object instead. This makes the generated code potentially vulnerable
to prototype pollution.

Author: remcohaszing

fixtures/object-proto-property-recursive/input.js

@@ -0,0 +1,27 @@
+// Used as input
+// { preserveReferences: true }
+export default ((
+  $1 = {
+    name: '$1'
+  },
+  $0 = {
+    ['__proto__']: $1,
+    name: '$0'
+  }
+) => (
+  Object.defineProperties($1, {
+    ['__proto__']: {
+      value: $0,
+      configurable: true,
+      enumerable: true,
+      writable: true
+    }
+  }),
+  $0
+))()
+
+// -------------------------------------------------------------------------------------------------
+
+// Default output
+// { preserveReferences: false }
+// Recursive references are not supported without preserveReferences

fixtures/object-proto-property/input.js

@@ -0,0 +1,13 @@
+// Used as input
+// { preserveReferences: true }
+export default {
+  ['__proto__']: {}
+}
+
+// -------------------------------------------------------------------------------------------------
+
+// Default output
+// { preserveReferences: false }
+const withoutPreserveReferences = {
+  ['__proto__']: {}
+}

src/estree-util-value-to-estree.ts

@@ -326,15 +326,15 @@ function symbolToEstree(symbol: symbol): Expression {
  *   The ESTree properry node.
  */
 function property(key: string | symbol, value: Expression): Property {
-  const computed = typeof key !== 'string'
+  const isString = typeof key === 'string'
 
   return {
     type: 'Property',
     method: false,
     shorthand: false,
-    computed,
+    computed: key === '__proto__' || !isString,
     kind: 'init',
-    key: computed ? symbolToEstree(key) : literal(key),
+    key: isString ? literal(key) : symbolToEstree(key),
     value
   }
 }
@@ -794,7 +794,15 @@ export function valueToEstree(value: unknown, options: Options = {}): Expression
 
     const properties: Property[] = []
     if (Object.getPrototypeOf(val) == null) {
-      properties.push(property('__proto__', literal(null)))
+      properties.push({
+        type: 'Property',
+        method: false,
+        shorthand: false,
+        computed: false,
+        kind: 'init',
+        key: identifier('__proto__'),
+        value: literal(null)
+      })
     }
 
     const object = val as Record<string | symbol, unknown>
@@ -826,17 +834,31 @@ export function valueToEstree(value: unknown, options: Options = {}): Expression
         childContext &&
         namedContexts.indexOf(childContext) >= namedContexts.indexOf(context)
       ) {
-        childContext.assignment = {
-          type: 'AssignmentExpression',
-          operator: '=',
-          left: {
-            type: 'MemberExpression',
-            computed: true,
-            optional: false,
-            object: identifier(context.name!),
-            property: generate(key)
-          },
-          right: childContext.assignment || generate(child)
+        if (key === '__proto__') {
+          propertyDescriptors.push(
+            property(key, {
+              type: 'ObjectExpression',
+              properties: [
+                property('value', generate(child)),
+                property('configurable', literal(true)),
+                property('enumerable', literal(true)),
+                property('writable', literal(true))
+              ]
+            })
+          )
+        } else {
+          childContext.assignment = {
+            type: 'AssignmentExpression',
+            operator: '=',
+            left: {
+              type: 'MemberExpression',
+              computed: true,
+              optional: false,
+              object: identifier(context.name!),
+              property: generate(key)
+            },
+            right: childContext.assignment || generate(child)
+          }
         }
       } else {
         properties.push(property(key, generate(child)))