refactor(core): harden change store access

JeanMeche · atscott · commit bff084f203d9 · 2026-06-09T10:05:53.000-07:00
This prevents any attack through prototype polution.
diff --git a/packages/core/src/render3/features/ng_onchanges_feature.ts b/packages/core/src/render3/features/ng_onchanges_feature.ts
@@ -8,11 +8,11 @@
 
 import {InputSignalNode} from '../../authoring/input/input_signal_node';
 import {OnChanges} from '../../change_detection/lifecycle_hooks';
+import {SimpleChange, SimpleChanges} from '../../change_detection/simple_change';
 import {assertString} from '../../util/assert';
 import {EMPTY_OBJ} from '../../util/empty';
 import {applyValueToInputField} from '../apply_value_input_field';
 import {DirectiveDef, DirectiveDefFeature} from '../interfaces/definition';
-import {SimpleChange, SimpleChanges} from '../../change_detection/simple_change';
 
 /**
  * The NgOnChangesFeature decorates a component with support for the ngOnChanges
@@ -112,7 +112,9 @@ function ngOnChangesSetInput<T>(
 const SIMPLE_CHANGES_STORE = '__ngSimpleChanges__';
 
 function getSimpleChangesStore(instance: any): null | NgSimpleChangesStore {
-  return instance[SIMPLE_CHANGES_STORE] || null;
+  return Object.hasOwn(instance, SIMPLE_CHANGES_STORE)
+    ? instance[SIMPLE_CHANGES_STORE] || null
+    : null;
 }
 
 function setSimpleChangesStore(instance: any, store: NgSimpleChangesStore): NgSimpleChangesStore {
