Fix Prototype Pollution Vulnerability in Template Engine

[ragsav]

Description:
The custom template engine resolves nested object paths using double-mustache syntax (e.g., {{step.data.user}}). The logic used to parse, split, and deeply merge or resolve these paths does not sanitize reserved object keys. If a user inputs a payload containing proto, constructor, or prototype, the resolver may modify the base Object.prototype globally across the Node.js process.

Impact:
Application-wide Denial of Service, logic bypasses, or potential privilege escalation if authentication checks rely on undefined object properties.

Affected Components:

apps/backend/utils/templateEngine/resolver.js

apps/backend/utils/templateEngine/tokenizer.js

apps/backend/utils/templateEngine/parsers.js

Suggested Remediation:

Implement strict key validation in the path resolution logic.

Explicitly drop or throw an error if a path segment contains proto, constructor, or prototype.

Use Object.create(null) for internal dictionaries where possible.