[8.17] [Security Solution] Fix code scanning alert no. 469: Prototype…

…-polluting function (#201712) (#202081)

# Backport

This will backport the following commits from `main` to `8.17`:
- [[Security Solution] Fix code scanning alert no. 469:
Prototype-polluting function
(#201712)](#201712)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kevin
Qualters","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-11-27T21:56:59Z","message":"[Security
Solution] Fix code scanning alert no. 469: Prototype-polluting function
(#201712)\n\nFixes\r\n[https://github.com/elastic/kibana/security/code-scanning/469](https://github.com/elastic/kibana/security/code-scanning/469)\r\n\r\nWhile
I don't think this is actually an issue, as source is only a set\r\nof
ecs fields that ultimately are defined in the code and not
controlled\r\nby the
user\r\nhttps://github.com/elastic/kibana/blob/main/packages/kbn-alerts-as-data-utils/src/search/security/fields.ts#L47\r\nThis
suggested fix doesn't have any negative impact/makes it future\r\nproof
if ever used elsewhere.\r\n\r\nTo fix the prototype pollution issue in
the `deepMerge` function, we\r\nneed to ensure that the function does
not copy the special properties\r\n`__proto__` and `constructor`.
Additionally, we should verify that the\r\nproperties being copied are
own properties of the `source` object. This\r\ncan be achieved by adding
checks within the `deepMerge` function.\r\n\r\n\r\n_Suggested fixes
powered by Copilot Autofix. Review carefully
before\r\nmerging._\r\n\r\n---------\r\n\r\nCo-authored-by: Copilot
Autofix powered by AI
<62310815+github-advanced-security[bot]@users.noreply.github.com>\r\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"bcbf85a71f0b30e431a9dc94f3a04773e2f43623","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Threat
Hunting:Investigations","backport:prev-major"],"title":"[Security
Solution] Fix code scanning alert no. 469: Prototype-polluting
function","number":201712,"url":"https://github.com/elastic/kibana/pull/201712","mergeCommit":{"message":"[Security
Solution] Fix code scanning alert no. 469: Prototype-polluting function
(#201712)\n\nFixes\r\n[https://github.com/elastic/kibana/security/code-scanning/469](https://github.com/elastic/kibana/security/code-scanning/469)\r\n\r\nWhile
I don't think this is actually an issue, as source is only a set\r\nof
ecs fields that ultimately are defined in the code and not
controlled\r\nby the
user\r\nhttps://github.com/elastic/kibana/blob/main/packages/kbn-alerts-as-data-utils/src/search/security/fields.ts#L47\r\nThis
suggested fix doesn't have any negative impact/makes it future\r\nproof
if ever used elsewhere.\r\n\r\nTo fix the prototype pollution issue in
the `deepMerge` function, we\r\nneed to ensure that the function does
not copy the special properties\r\n`__proto__` and `constructor`.
Additionally, we should verify that the\r\nproperties being copied are
own properties of the `source` object. This\r\ncan be achieved by adding
checks within the `deepMerge` function.\r\n\r\n\r\n_Suggested fixes
powered by Copilot Autofix. Review carefully
before\r\nmerging._\r\n\r\n---------\r\n\r\nCo-authored-by: Copilot
Autofix powered by AI
<62310815+github-advanced-security[bot]@users.noreply.github.com>\r\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"bcbf85a71f0b30e431a9dc94f3a04773e2f43623"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201712","number":201712,"mergeCommit":{"message":"[Security
Solution] Fix code scanning alert no. 469: Prototype-polluting function
(#201712)\n\nFixes\r\n[https://github.com/elastic/kibana/security/code-scanning/469](https://github.com/elastic/kibana/security/code-scanning/469)\r\n\r\nWhile
I don't think this is actually an issue, as source is only a set\r\nof
ecs fields that ultimately are defined in the code and not
controlled\r\nby the
user\r\nhttps://github.com/elastic/kibana/blob/main/packages/kbn-alerts-as-data-utils/src/search/security/fields.ts#L47\r\nThis
suggested fix doesn't have any negative impact/makes it future\r\nproof
if ever used elsewhere.\r\n\r\nTo fix the prototype pollution issue in
the `deepMerge` function, we\r\nneed to ensure that the function does
not copy the special properties\r\n`__proto__` and `constructor`.
Additionally, we should verify that the\r\nproperties being copied are
own properties of the `source` object. This\r\ncan be achieved by adding
checks within the `deepMerge` function.\r\n\r\n\r\n_Suggested fixes
powered by Copilot Autofix. Review carefully
before\r\nmerging._\r\n\r\n---------\r\n\r\nCo-authored-by: Copilot
Autofix powered by AI
<62310815+github-advanced-security[bot]@users.noreply.github.com>\r\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"bcbf85a71f0b30e431a9dc94f3a04773e2f43623"}}]}]
BACKPORT-->

Co-authored-by: Kevin Qualters <[email protected]>

x-pack/plugins/timelines/server/search_strategy/timeline/factory/helpers/format_timeline_data.ts

@@ -34,7 +34,14 @@ const createBaseTimelineEdges = (): TimelineEdges => ({
 
 function deepMerge(target: EventSource, source: EventSource) {
   for (const key in source) {
-    if (source && source[key] instanceof Object && target && target[key] instanceof Object) {
+    if (
+      !Object.prototype.hasOwnProperty.call(source, key) ||
+      key === '__proto__' ||
+      key === 'constructor'
+    )
+      // eslint-disable-next-line no-continue
+      continue;
+    if (source[key] instanceof Object && target[key] instanceof Object) {
       deepMerge(target[key], source[key]);
     } else {
       target[key] = source[key];