Security: theme-profiles:import derives profile name from filename, allowing a file named __proto__.json to pollute Object.prototype

[anshul23102]

Describe the bug

In main.js, the profile name is derived directly from the filename of the imported file:

const profileName = path.basename(filePath, '.json');
const profiles = settingsStore.loadProfiles();
profiles[profileName] = sanitizedProfile; // key is filename-derived
settingsStore.saveProfiles(profiles);

Importing a file named __proto__.json executes profiles['__proto__'] = sanitizedProfile, which pollutes Object.prototype with all current visualizer settings properties. This affects every plain object in the main process for the rest of the session.

To Reproduce

1. Create a file named __proto__.json with valid theme profile JSON.
2. Use Paraline's Import Profile feature and select this file.
3. Observe that Object.prototype is polluted with settings properties.

Expected behavior
The profile name should be validated to reject reserved JavaScript property names (__proto__, constructor, prototype) before being used as an object key.

[anshul23102]

Hi @SamXop123, I would like to work on this issue under GSSoC '26. Please assign it to me.

assign/

GSSoC '26 contribution

[github-actions]

Thanks for opening this issue and contributing to Paraline 🌌

The maintainers will review it soon.
If applicable, please make sure to include:

• clear reproduction/details
• screenshots or recordings
• implementation ideas (optional but appreciated)

Thanks again for helping improve the project 👍