From ab64b67844cd10241b05f4af1b92c2aeac80fabe Mon Sep 17 00:00:00 2001
From: fuomag9 <fuomag@gmail.com>
Date: Sat, 15 Nov 2025 10:25:13 +0100
Subject: [PATCH] Potential fix for code scanning alert no. 5:
 Prototype-polluting function

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/lib/caddy.ts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/lib/caddy.ts b/src/lib/caddy.ts
index b3c2e9c1..35a87fe7 100644
--- a/src/lib/caddy.ts
+++ b/src/lib/caddy.ts
@@ -155,6 +155,14 @@ function parseOptionalJson(value: string | null | undefined) {
 
 function mergeDeep(target: Record<string, unknown>, source: Record<string, unknown>) {
   for (const [key, value] of Object.entries(source)) {
+    // Block prototype-polluting keys
+    if (
+      key === "__proto__" ||
+      key === "constructor" ||
+      key === "prototype"
+    ) {
+      continue;
+    }
     const existing = target[key];
     if (isPlainObject(existing) && isPlainObject(value)) {
       mergeDeep(existing, value);