From 2cb3e049f5a4705e1786d5cf810600f5d1068b8e Mon Sep 17 00:00:00 2001
From: ericbfriday <29077621+ericbfriday@users.noreply.github.com>
Date: Sat, 30 May 2026 23:41:40 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20Fix=20proto?=
 =?UTF-8?q?type=20pollution=20in=20Lua=20labels?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Prevent prototype pollution by initializing the Lua labels dictionary using `Object.create(null)` instead of a standard object literal `{}`. This ensures that user-provided string keys, such as `__proto__`, cannot modify the prototype chain, avoiding potential bypasses or unintended behavior. Provides a fallback to `{}` in older environments. Also includes a Sentinel journal entry documenting the learning.
---
 .jules/sentinel.md | 4 ++++
 luaparse.js        | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..0a288e6
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-05-31 - [Prevent Prototype Pollution in Lua Labels]
+**Vulnerability:** The Lua labels dictionary was initialized using an object literal (`{}`), which could allow an attacker to bypass checks or pollute prototypes if user-supplied string keys (such as `"__proto__"`) are used.
+**Learning:** Using `{}` for dictionaries with user-controlled keys exposes the object to prototype modification through the `__proto__` property, even if `hasOwnProperty` is used for existence checks.
+**Prevention:** Always initialize dictionaries meant to store user-supplied string keys with `Object.create ? Object.create(null) : {}` to prevent prototype pollution and fallback gracefully.
diff --git a/luaparse.js b/luaparse.js
index a6bcbac..7f60102 100644
--- a/luaparse.js
+++ b/luaparse.js
@@ -1674,7 +1674,7 @@
 
   FullFlowContext.prototype.pushScope = function (isLoop) {
     var scope = {
-      labels: {},
+      labels: Object.create ? Object.create(null) : {},
       locals: [],
       deferredGotos: [],
       isLoop: !!isLoop