fix: replace lodash.get with safeGet helper to prevent prototype pollution (#10987)

* feat: replace lodash.get with safeGet helper to prevent prototype pollution

Signed-off-by: Yulong Ruan <[email protected]>

* Changeset file for PR #10987 created/updated

---------

Signed-off-by: Yulong Ruan <[email protected]>
Co-authored-by: opensearch-changeset-bot[bot] <154024398+opensearch-changeset-bot[bot]@users.noreply.github.com>

Author: ruanyl

changelogs/fragments/10987.yml

@@ -0,0 +1,2 @@
+fix:
+- Replace lodash.get with safeGet helper to prevent prototype pollution ([#10987](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/10987))

src/plugins/vis_type_timeseries/server/lib/vis_data/helpers/get_sibling_agg_value.js

@@ -29,11 +29,12 @@
  */
 
 import _ from 'lodash';
+import { safeGet } from './safe_get';
 
 export const getSiblingAggValue = (row, metric) => {
   let key = metric.type.replace(/_bucket$/, '');
   if (key === 'std_deviation' && _.includes(['upper', 'lower'], metric.mode)) {
     key = `std_deviation_bounds.${metric.mode}`;
   }
-  return _.get(row, `${metric.id}.${key}`);
+  return safeGet(row, `${metric.id}.${key}`);
 };

src/plugins/vis_type_timeseries/server/lib/vis_data/helpers/safe_get.js

@@ -0,0 +1,31 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+// A safe get function that blocks prototype access
+export function safeGet(object, path, defaultValue) {
+  const pathArray = Array.isArray(path) ? path : path.split('.');
+
+  // Block dangerous prototype pollution paths
+  const dangerousPaths = ['__proto__', 'constructor', 'prototype'];
+  for (const segment of pathArray) {
+    if (dangerousPaths.includes(segment)) {
+      return defaultValue;
+    }
+  }
+
+  // Use standard property access instead of lodash.get
+  let result = object;
+  for (const key of pathArray) {
+    if (result == null || typeof result !== 'object') {
+      return defaultValue;
+    }
+    // Only access own properties, not inherited ones
+    if (!Object.prototype.hasOwnProperty.call(result, key)) {
+      return defaultValue;
+    }
+    result = result[key];
+  }
+  return result !== undefined ? result : defaultValue;
+}