Guard object lookups against inherited prototype properties

[adamwathan]

When user-controlled candidate values like "constructor" are used as
keys to look up values in plain objects (staticValues, plugin values,
modifiers, config), they can match inherited Object.prototype properties
instead of returning undefined. This caused crashes like "V.map is not
a function" when scanning source files containing strings like
"row-constructor".

Use Object.hasOwn() checks before all user-keyed object lookups in:

• utilities.ts (staticValues lookup)
• plugin-api.ts (values, modifiers, and variant values lookups)
• plugin-functions.ts (get() config traversal function)

Fixes #19721

https://claude.ai/code/session_011CYSGw3DLh2Z8xnuyoaCgC

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3c76cb8 and c2b9cff.

📒 Files selected for processing (1)

• CHANGELOG.md

---

Walkthrough

Replaces fragile property lookups with explicit own-property checks (Object.hasOwn) and adds null/undefined/non-object guards during path traversal to avoid indexing into non-object values. Converts certain static value maps to null-prototype objects before lookup to prevent inherited properties from Object.prototype. Adds tests for plugin and utility APIs using names matching Object.prototype keys (e.g. constructor, hasOwnProperty, toString, valueOf, __proto__) that assert no CSS output or errors. No public API signatures were changed.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding Object.hasOwn guards to prevent inherited prototype property lookups during object operations.
Description check	✅ Passed	The description is directly related to the changeset, explaining the problem, the solution approach, and linking to the specific issue being fixed (#19721).
Linked Issues check	✅ Passed	The PR fully addresses the requirements from issue #19721: it adds Object.hasOwn checks in utilities.ts, plugin-api.ts, and plugin-functions.ts to prevent user-controlled keys from matching inherited prototype properties, fixing the crash when scanning files with strings like 'row-constructor'.
Out of Scope Changes check	✅ Passed	All changes are scoped to the stated objective: adding Object.hasOwn guards in the three files mentioned, with supporting test cases, and a changelog entry. No unrelated modifications are present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

packages/tailwindcss/src/utilities.test.ts (1)

1650-1655: Consider adding __proto__ (and related prototype members) to the test cases.

The four cases added here are the right set for the reported issue, and the structure is correct. However, __proto__ is a special accessor on Object.prototype that is equally dangerous as a keyed lookup — it's absent from the coverage. The Object.hasOwn() guard introduced in utilities.ts correctly returns false for it, but having an explicit test would prevent regressions if the guard were ever relaxed or refactored.

🧪 Proposed additional test candidates

       'row-constructor',
       'row-hasOwnProperty',
       'row-toString',
       'row-valueOf',
+      'row-__proto__',
+      'row-isPrototypeOf',
+      'row-propertyIsEnumerable',

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/tailwindcss/src/utilities.test.ts` around lines 1650 - 1655, Add an
explicit test candidate for "__proto__" alongside the existing entries
('row-constructor', 'row-hasOwnProperty', 'row-toString', 'row-valueOf') in the
candidates list in utilities.test.ts so the Object.hasOwn() guard in
utilities.ts is exercised for the special accessor; update the test array to
include "__proto__" (and any related prototype accessor names you want covered)
to ensure the guard continues to return false and prevent regressions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/tailwindcss/src/compat/plugin-api.ts`:
- Around line 426-427: The call to values.__BARE_VALUE__ is not type-safe
because Object.hasOwn(values, '__BARE_VALUE__') does not narrow to a callable;
guard the invocation by checking the property is a function before calling it
(e.g. if (typeof values.__BARE_VALUE__ === 'function') { value =
values.__BARE_VALUE__(candidate.value) ?? null }) so TypeScript recognizes the
callable; reference symbols: __BARE_VALUE__, values, candidate.value, value,
Object.hasOwn.

---

Nitpick comments:
In `@packages/tailwindcss/src/utilities.test.ts`:
- Around line 1650-1655: Add an explicit test candidate for "__proto__"
alongside the existing entries ('row-constructor', 'row-hasOwnProperty',
'row-toString', 'row-valueOf') in the candidates list in utilities.test.ts so
the Object.hasOwn() guard in utilities.ts is exercised for the special accessor;
update the test array to include "__proto__" (and any related prototype accessor
names you want covered) to ensure the guard continues to return false and
prevent regressions.

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 097f982 and ca04510.

📒 Files selected for processing (5)

• packages/tailwindcss/src/compat/plugin-api.test.ts
• packages/tailwindcss/src/compat/plugin-api.ts
• packages/tailwindcss/src/compat/plugin-functions.ts
• packages/tailwindcss/src/utilities.test.ts
• packages/tailwindcss/src/utilities.ts

[coderabbitai]

🧹 Nitpick comments (1)

packages/tailwindcss/src/compat/plugin-api.ts (1)

418-430: values.DEFAULT at line 415 is the one remaining direct access without hasOwn.

All user-controlled key paths now use Object.hasOwn, but the !candidate.value branch still does values.DEFAULT ?? null via plain property access. While 'DEFAULT' is not an Object.prototype key and the lookup is not driven by user input, adding a hasOwn guard would make this block fully consistent with the rest of the change.

♻️ Optional consistency fix

-            if (!candidate.value) {
-              value = values.DEFAULT ?? null
-            } else if (candidate.value.kind === 'arbitrary') {
+            if (!candidate.value) {
+              value = Object.hasOwn(values, 'DEFAULT') ? values.DEFAULT : null
+            } else if (candidate.value.kind === 'arbitrary') {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/tailwindcss/src/compat/plugin-api.ts` around lines 418 - 430, The
branch that handles the !candidate.value case currently reads values.DEFAULT via
direct property access; change it to first check Object.hasOwn(values,
'DEFAULT') and only then set value = values.DEFAULT ?? null (otherwise fall back
to null), keeping any existing ignoreModifier logic intact; update the code
around the candidate.value / values lookup (the same area using Object.hasOwn
for fraction and value keys) to use Object.hasOwn for 'DEFAULT' for consistency.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@packages/tailwindcss/src/compat/plugin-api.ts`:
- Around line 418-430: The branch that handles the !candidate.value case
currently reads values.DEFAULT via direct property access; change it to first
check Object.hasOwn(values, 'DEFAULT') and only then set value = values.DEFAULT
?? null (otherwise fall back to null), keeping any existing ignoreModifier logic
intact; update the code around the candidate.value / values lookup (the same
area using Object.hasOwn for fraction and value keys) to use Object.hasOwn for
'DEFAULT' for consistency.

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ca04510 and 3c76cb8.

📒 Files selected for processing (2)

• packages/tailwindcss/src/compat/plugin-api.ts
• packages/tailwindcss/src/utilities.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/tailwindcss/src/utilities.ts

[RobinMalfait]

Made a few small changes, but looks good otherwise.