fix(#119, #121): validate profile names to prevent Object.prototype pollution

[anshul23102]

Summary

Two separate code paths in main.js allowed attacker-controlled strings to be used as plain-object keys without validation, enabling prototype pollution of Object.prototype in the main process.

1. Issue Security: saveThemeProfile and loadThemeProfile accept unchecked profileName strings, allowing renderer to pollute Object.prototype via reserved property names #121: saveThemeProfile(profileName) used the renderer-supplied string directly as profiles[profileName] = visualizerSettings. Calling window.paralineApp.saveThemeProfile('__proto__') set Object.prototype properties to all current settings values, affecting every plain object created in the main process for the rest of the session.

2. Issue Security: theme-profiles:import derives profile name from filename, allowing a file named __proto__.json to pollute Object.prototype #119: The theme-profiles:import handler derived the profile name from the imported filename via path.basename(filePath, '.json'). Importing a file named __proto__.json triggered profiles['__proto__'] = sanitizedProfile, same impact as above.

Closes #119
Closes #121

Root Cause

// Issue #121 - saveThemeProfile
profiles[profileName] = visualizerSettings;  // profileName unchecked

// Issue #119 - theme-profiles:import
const profileName = path.basename(filePath, '.json');  // filename as key
profiles[profileName] = sanitizedProfile;             // no validation

Fix

Added isValidProfileName() which rejects:

• Non-string or empty values
• Reserved JS property names: __proto__, constructor, prototype
• Strings that do not match the safe allowlist [A-Za-z0-9 _\-()À-ɏ]{1,64}

saveThemeProfile returns null early for invalid names. The import handler returns a structured { success: false, error } response. The guard is defined once and applied consistently across both call sites.

const RESERVED_PROFILE_NAMES = new Set(["__proto__", "constructor", "prototype"]);
const SAFE_PROFILE_NAME_RE = /^[A-Za-z0-9 _\-()À-ɏ]{1,64}$/;

function isValidProfileName(name) {
  if (typeof name !== "string" || name.trim() === "") return false;
  if (RESERVED_PROFILE_NAMES.has(name)) return false;
  return SAFE_PROFILE_NAME_RE.test(name);
}

Files Changed

• main.js: Added isValidProfileName helper; applied at start of saveThemeProfile; applied to filename-derived name in theme-profiles:import.

How to Test

1. In renderer DevTools: window.paralineApp.saveThemeProfile('__proto__') should return null and leave Object.prototype unchanged.
2. Import a file named __proto__.json — should return { success: false, error: '...' }.
3. Normal profile names like My Profile or Dark-2024 should continue to work.

Checklist

• Both issue Security: theme-profiles:import derives profile name from filename, allowing a file named __proto__.json to pollute Object.prototype #119 and Security: saveThemeProfile and loadThemeProfile accept unchecked profileName strings, allowing renderer to pollute Object.prototype via reserved property names #121 addressed with a single shared guard function.
• No change to any functionality for valid profile names.
• No new dependencies.

[vercel]

@anshul23102 is attempting to deploy a commit to the Dot_NotSam's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Warning

Review limit reached

@anshul23102, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 59 minutes and 26 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: aff34b4f-8777-493c-ab91-8a5d9347f507

📥 Commits

Reviewing files that changed from the base of the PR and between 3e9da7b and 5cda08e.

📒 Files selected for processing (1)

• main.js

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}