From 35da60b5a9cd2758e871a9e260eade327c64e736 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hu=C3=A1ng=20J=C3=B9nli=C3=A0ng?= <jlhwung@gmail.com>
Date: Thu, 14 Jul 2022 15:45:55 -0400
Subject: [PATCH] fix: skip flattening spread object with __proto__

---
 .../src/create-plugin.ts                      | 11 ++++++++-
 .../react-automatic/flattens-spread/input.js  |  4 ++++
 .../flattens-spread/output.mjs                | 10 ++++++++
 .../handle-spread-with-proto/input.js         |  7 ++++++
 .../handle-spread-with-proto/output.mjs       | 24 +++++++++++++++++++
 .../fixtures/react/flattens-spread/input.js   |  4 ++++
 .../fixtures/react/flattens-spread/output.js  | 10 ++++++++
 .../react/handle-spread-with-proto/input.js   |  7 ++++++
 .../react/handle-spread-with-proto/output.js  | 18 ++++++++++++++
 9 files changed, 94 insertions(+), 1 deletion(-)
 create mode 100644 packages/babel-plugin-transform-react-jsx/test/fixtures/react-automatic/handle-spread-with-proto/input.js
 create mode 100644 packages/babel-plugin-transform-react-jsx/test/fixtures/react-automatic/handle-spread-with-proto/output.mjs
 create mode 100644 packages/babel-plugin-transform-react-jsx/test/fixtures/react/handle-spread-with-proto/input.js
 create mode 100644 packages/babel-plugin-transform-react-jsx/test/fixtures/react/handle-spread-with-proto/output.js

diff --git a/packages/babel-plugin-transform-react-jsx/src/create-plugin.ts b/packages/babel-plugin-transform-react-jsx/src/create-plugin.ts
index 3e3a93963030..352507157f21 100644
--- a/packages/babel-plugin-transform-react-jsx/src/create-plugin.ts
+++ b/packages/babel-plugin-transform-react-jsx/src/create-plugin.ts
@@ -39,6 +39,15 @@ const get = (pass: PluginPass, name: string) =>
 const set = (pass: PluginPass, name: string, v: any) =>
   pass.set(`@babel/plugin-react-jsx/${name}`, v);
 
+function hasProto(node: t.ObjectExpression) {
+  return node.properties.some(
+    value =>
+      t.isObjectProperty(value, { computed: false }) &&
+      (t.isIdentifier(value.key, { name: "__proto__" }) ||
+        t.isStringLiteral(value.key, { value: "__proto__" })),
+  );
+}
+
 export interface Options {
   filter?: (node: t.Node, pass: PluginPass) => boolean;
   importSource?: string;
@@ -422,7 +431,7 @@ You can set \`throwIfNamespace: false\` to bypass this warning.`,
       if (t.isJSXSpreadAttribute(attribute.node)) {
         const arg = attribute.node.argument;
         // Collect properties into props array if spreading object expression
-        if (t.isObjectExpression(arg)) {
+        if (t.isObjectExpression(arg) && !hasProto(arg)) {
           array.push(...arg.properties);
         } else {
           array.push(t.spreadElement(arg));
diff --git a/packages/babel-plugin-transform-react-jsx/test/fixtures/react-automatic/flattens-spread/input.js b/packages/babel-plugin-transform-react-jsx/test/fixtures/react-automatic/flattens-spread/input.js
index 7cf92a69c605..90583d9cae87 100644
--- a/packages/babel-plugin-transform-react-jsx/test/fixtures/react-automatic/flattens-spread/input.js
+++ b/packages/babel-plugin-transform-react-jsx/test/fixtures/react-automatic/flattens-spread/input.js
@@ -5,3 +5,7 @@
 <img alt="" {...{src, title}} />;
 
 <blockquote {...{cite}}>{items}</blockquote>;
+
+<pre {...{["__proto__"]: null }}></pre>;
+
+<code {...{[__proto__]: null }}></code>;
diff --git a/packages/babel-plugin-transform-react-jsx/test/fixtures/react-automatic/flattens-spread/output.mjs b/packages/babel-plugin-transform-react-jsx/test/fixtures/react-automatic/flattens-spread/output.mjs
index 738dcc4e9e95..1af3a72670f5 100644
--- a/packages/babel-plugin-transform-react-jsx/test/fixtures/react-automatic/flattens-spread/output.mjs
+++ b/packages/babel-plugin-transform-react-jsx/test/fixtures/react-automatic/flattens-spread/output.mjs
@@ -22,3 +22,13 @@ _jsx("blockquote", {
   cite,
   children: items
 });
+
+/*#__PURE__*/
+_jsx("pre", {
+  ["__proto__"]: null
+});
+
+/*#__PURE__*/
+_jsx("code", {
+  [__proto__]: null
+});
diff --git a/packages/babel-plugin-transform-react-jsx/test/fixtures/react-automatic/handle-spread-with-proto/input.js b/packages/babel-plugin-transform-react-jsx/test/fixtures/react-automatic/handle-spread-with-proto/input.js
new file mode 100644
index 000000000000..9c912e5b5dac
--- /dev/null
+++ b/packages/babel-plugin-transform-react-jsx/test/fixtures/react-automatic/handle-spread-with-proto/input.js
@@ -0,0 +1,7 @@
+var __proto__ = null;
+
+<p {...{__proto__: null}}>text</p>;
+
+<div {...{"__proto__": null}}>{contents}</div>;
+
+<img alt="" {...{__proto__}} />;
diff --git a/packages/babel-plugin-transform-react-jsx/test/fixtures/react-automatic/handle-spread-with-proto/output.mjs b/packages/babel-plugin-transform-react-jsx/test/fixtures/react-automatic/handle-spread-with-proto/output.mjs
new file mode 100644
index 000000000000..fe59e902ea16
--- /dev/null
+++ b/packages/babel-plugin-transform-react-jsx/test/fixtures/react-automatic/handle-spread-with-proto/output.mjs
@@ -0,0 +1,24 @@
+import { jsx as _jsx } from "react/jsx-runtime";
+var __proto__ = null;
+
+/*#__PURE__*/
+_jsx("p", { ...{
+    __proto__: null
+  },
+  children: "text"
+});
+
+/*#__PURE__*/
+_jsx("div", { ...{
+    "__proto__": null
+  },
+  children: contents
+});
+
+/*#__PURE__*/
+_jsx("img", {
+  alt: "",
+  ...{
+    __proto__
+  }
+});
diff --git a/packages/babel-plugin-transform-react-jsx/test/fixtures/react/flattens-spread/input.js b/packages/babel-plugin-transform-react-jsx/test/fixtures/react/flattens-spread/input.js
index 7cf92a69c605..90583d9cae87 100644
--- a/packages/babel-plugin-transform-react-jsx/test/fixtures/react/flattens-spread/input.js
+++ b/packages/babel-plugin-transform-react-jsx/test/fixtures/react/flattens-spread/input.js
@@ -5,3 +5,7 @@
 <img alt="" {...{src, title}} />;
 
 <blockquote {...{cite}}>{items}</blockquote>;
+
+<pre {...{["__proto__"]: null }}></pre>;
+
+<code {...{[__proto__]: null }}></code>;
diff --git a/packages/babel-plugin-transform-react-jsx/test/fixtures/react/flattens-spread/output.js b/packages/babel-plugin-transform-react-jsx/test/fixtures/react/flattens-spread/output.js
index 25b234ea3b58..5802d5a62a99 100644
--- a/packages/babel-plugin-transform-react-jsx/test/fixtures/react/flattens-spread/output.js
+++ b/packages/babel-plugin-transform-react-jsx/test/fixtures/react/flattens-spread/output.js
@@ -15,3 +15,13 @@ React.createElement("img", {
 React.createElement("blockquote", {
   cite
 }, items);
+
+/*#__PURE__*/
+React.createElement("pre", {
+  ["__proto__"]: null
+});
+
+/*#__PURE__*/
+React.createElement("code", {
+  [__proto__]: null
+});
diff --git a/packages/babel-plugin-transform-react-jsx/test/fixtures/react/handle-spread-with-proto/input.js b/packages/babel-plugin-transform-react-jsx/test/fixtures/react/handle-spread-with-proto/input.js
new file mode 100644
index 000000000000..9c912e5b5dac
--- /dev/null
+++ b/packages/babel-plugin-transform-react-jsx/test/fixtures/react/handle-spread-with-proto/input.js
@@ -0,0 +1,7 @@
+var __proto__ = null;
+
+<p {...{__proto__: null}}>text</p>;
+
+<div {...{"__proto__": null}}>{contents}</div>;
+
+<img alt="" {...{__proto__}} />;
diff --git a/packages/babel-plugin-transform-react-jsx/test/fixtures/react/handle-spread-with-proto/output.js b/packages/babel-plugin-transform-react-jsx/test/fixtures/react/handle-spread-with-proto/output.js
new file mode 100644
index 000000000000..456dad6b23ff
--- /dev/null
+++ b/packages/babel-plugin-transform-react-jsx/test/fixtures/react/handle-spread-with-proto/output.js
@@ -0,0 +1,18 @@
+var __proto__ = null;
+
+/*#__PURE__*/
+React.createElement("p", {
+  __proto__: null
+}, "text");
+
+/*#__PURE__*/
+React.createElement("div", {
+  "__proto__": null
+}, contents);
+
+/*#__PURE__*/
+React.createElement("img", babelHelpers.extends({
+  alt: ""
+}, {
+  __proto__
+}));