Skip to content

[DataGrid] Fix crash when grouping/tree-data values match Object.prototype property names#22312

Open
LukasTy wants to merge 1 commit intomui:masterfrom
LukasTy:claude/distracted-germain-74b212
Open

[DataGrid] Fix crash when grouping/tree-data values match Object.prototype property names#22312
LukasTy wants to merge 1 commit intomui:masterfrom
LukasTy:claude/distracted-germain-74b212

Conversation

@LukasTy
Copy link
Copy Markdown
Member

@LukasTy LukasTy commented May 5, 2026
edited
Loading

Fixes #22310

Summary

The Data Grid (Pro & Premium) crashed with a white screen when a row-grouping value or tree-data path segment was equal to 'constructor' (or any other Object.prototype property name like '__proto__', 'toString', 'hasOwnProperty', 'valueOf').

Reproduction (from the issue): https://codesandbox.io/p/devbox/mui-datagrid-nested-rows-geographic-example-forked-jnswls

Fixed example: https://stackblitz.com/edit/avpph9bc?file=src%2FDemo.tsx

Root cause

The row-tree builder used plain {} objects as hash maps keyed by user-supplied grouping values. The lookup in insertDataRowInTree.ts did:

const existingNodeIdWithPartialPath = (tree[parentNodeId] as GridGroupNode)
  .childrenFromPath?.[fieldWithDefaultValue]
  ?.[keyWithDefaultValue.toString()];

When the user-provided key was 'constructor', ({}).constructor returned Object.prototype.constructor (the Object function) instead of undefined. The code then treated that function as an existing node id, fetched tree[Object] (undefined), and crashed when trying to read .type / .isAutoGenerated on it.

Fix

Switch the childrenFromPath lookup objects from plain {} to Object.create(null). Prototype-less objects do not expose Object.prototype properties, so user-supplied keys can never collide with constructor, __proto__, toString, etc. This matches existing usage in gridSortingSelector.ts, gridFilterSelector.ts, and useGridColumnHeaders.tsx.

The GridChildrenFromPathLookup type signature does not change; TypeScript treats it as an index signature regardless of the runtime prototype, and existing readers (map[key]) keep working unchanged.

Files touched

  • packages/x-data-grid/src/hooks/features/rows/gridRowsUtils.ts (root group)
  • packages/x-data-grid-pro/src/utils/tree/insertDataRowInTree.ts (3 group node construction sites)
  • packages/x-data-grid-pro/src/utils/tree/utils.ts (inner per-field map in insertNodeInTree)
  • packages/x-data-grid-pro/src/hooks/features/treeData/treeDataReorderExecutor.ts (drop-on-leaf reorder)

@LukasTy @claude
[data grid] Fix crash when grouping/tree-data values match Object.pro…
be1fc0b 
…totype property names

The row-tree builder used plain `{}` objects as hash maps keyed by
user-supplied grouping values. Looking up `'constructor'` (or
`'__proto__'`, `'toString'`, etc.) returned the inherited
`Object.prototype` property instead of `undefined`, so the code thought
a node already existed at that path and crashed when it tried to use
the prototype function as a node id.

Switch the `childrenFromPath` lookup objects to `Object.create(null)`
so user-supplied keys can never collide with `Object.prototype`. This
matches existing usage in the sorting/filter selectors.

Fixes mui#22310

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@LukasTy LukasTy self-assigned this May 5, 2026
@LukasTy LukasTy added type: bug It doesn't behave as expected. scope: data grid Changes related to the data grid. labels May 5, 2026
@code-infra-dashboard
Copy link
Copy Markdown

code-infra-dashboard Bot commented May 5, 2026

Deploy preview

https://deploy-preview-22312--material-ui-x.netlify.app/

Bundle size

Bundle Parsed size Gzip size
@mui/x-data-grid 🔺+17B(0.00%) 🔺+3B(0.00%)
@mui/x-data-grid-pro 🔺+121B(+0.02%) 🔺+10B(+0.01%)
@mui/x-data-grid-premium 🔺+121B(+0.02%) 🔺+11B(+0.01%)
@mui/x-charts 0B(0.00%) 0B(0.00%)
@mui/x-charts-pro 0B(0.00%) 0B(0.00%)
@mui/x-charts-premium 0B(0.00%) 0B(0.00%)
@mui/x-date-pickers 0B(0.00%) 0B(0.00%)
@mui/x-date-pickers-pro 0B(0.00%) 0B(0.00%)
@mui/x-tree-view 0B(0.00%) 0B(0.00%)
@mui/x-tree-view-pro 0B(0.00%) 0B(0.00%)

Details of bundle changes

Check out the code infra dashboard for more information about this PR.

@LukasTy LukasTy marked this pull request as ready for review May 5, 2026 08:05
Copilot AI reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a Data Grid crash in row-grouping and tree-data when user-provided grouping keys/path segments collide with Object.prototype property names (e.g. "constructor", "__proto__", "toString"). The fix prevents prototype pollution / prototype-chain lookups by using prototype-less objects as the internal hash maps for childrenFromPath.

Changes:

  • Replace {} maps used for childrenFromPath (and its per-field nested maps) with Object.create(null) in row-tree construction and tree-data reorder logic.
  • Add regression tests covering problematic grouping values in row grouping and tree-data paths.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
packages/x-data-grid/src/hooks/features/rows/gridRowsUtils.ts Makes the root group’s childrenFromPath prototype-less to avoid key collisions with Object.prototype.
packages/x-data-grid-pro/src/utils/tree/utils.ts Ensures newly created per-field childrenFromPath[groupingField] maps are prototype-less.
packages/x-data-grid-pro/src/utils/tree/insertDataRowInTree.ts Creates group nodes with prototype-less childrenFromPath during tree insertion/building.
packages/x-data-grid-pro/src/hooks/features/treeData/treeDataReorderExecutor.ts Uses a prototype-less childrenFromPath when converting a leaf to a group during drop-on-leaf reorder.
packages/x-data-grid-pro/src/tests/treeData.DataGridPro.test.tsx Adds regression test for tree-data paths beginning with "constructor".
packages/x-data-grid-premium/src/tests/rowGrouping.DataGridPremium.test.tsx Adds regression test for row-grouping values colliding with Object.prototype property names.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@LukasTy LukasTy added needs cherry-pick The PR should be cherry-picked to master after merge. v8.x labels May 5, 2026
@LukasTy
Copy link
Copy Markdown
Member Author

LukasTy commented May 5, 2026

Should we also cherry-pick this v7?

@MBilalShafi MBilalShafi changed the title [data grid] Fix crash when grouping/tree-data values match Object.prototype property names [DataGrid] Fix crash when grouping/tree-data values match Object.prototype property names May 6, 2026
@MBilalShafi MBilalShafi mentioned this pull request May 6, 2026
Open
5 tasks
MBilalShafi
MBilalShafi approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@MBilalShafi MBilalShafi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also cherry-pick this v7?

I think so. The effort should be minimal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@MBilalShafi MBilalShafi MBilalShafi approved these changes

@michelengelen michelengelen Awaiting requested review from michelengelen

Assignees

@LukasTy LukasTy

Labels

needs cherry-pick The PR should be cherry-picked to master after merge. scope: data grid Changes related to the data grid. type: bug It doesn't behave as expected. v8.x

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[DataGrid] JS Crash due to reserved JS keyword values (i.e. constructor)

3 participants

@LukasTy @MBilalShafi