From 173573ee3ab0b51c7ad9508463fa8f946610f4d4 Mon Sep 17 00:00:00 2001
From: Adhityan K V <adhityan@hotmail.com>
Date: Fri, 14 Nov 2025 22:38:20 +0100
Subject: [PATCH] Potential fix for code scanning alert no. 1:
 Prototype-polluting assignment

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 core/embedjs/src/store/memory-store.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/core/embedjs/src/store/memory-store.ts b/core/embedjs/src/store/memory-store.ts
index 11c3f905..19232d78 100644
--- a/core/embedjs/src/store/memory-store.ts
+++ b/core/embedjs/src/store/memory-store.ts
@@ -8,7 +8,7 @@ export class MemoryStore implements BaseStore {
 
     async init(): Promise<void> {
         this.loaderList = {};
-        this.loaderCustomValues = {};
+        this.loaderCustomValues = Object.create(null);
         this.conversations = new Map();
         this.loaderCustomValuesMap = new Map();
     }
@@ -37,6 +37,9 @@ export class MemoryStore implements BaseStore {
     }
 
     async loaderCustomGet<T extends Record<string, unknown>>(key: string): Promise<T> {
+        if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
+            throw new Error("Invalid key");
+        }
         const data = <T & { loaderId: string }>this.loaderCustomValues[key];
         delete data.loaderId;
         return data;