Enhance prototype pollution protection #288
Conversation
…nd 'prototype' as map keys
|
This fixes a potental security issue. |
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #288 +/- ##
=======================================
Coverage 97.36% 97.36%
=======================================
Files 16 16
Lines 1138 1138
Branches 252 252
=======================================
Hits 1108 1108
Misses 30 30 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
Thanks. Will release a new version immediatly. |
|
Awesome thank you for your attention on this. |
|
A better fix would be to just make msgpack-javascript/src/Decoder.ts Line 138 in dd2190b state.map = { __proto__: null };Then you don't have to reject any key names. |
| const o = { | ||
| foo: "bar", | ||
| }; | ||
| // override constructor as an enumerable property | ||
| Object.defineProperty(o, "constructor", { | ||
| value: new Date(0), | ||
| enumerable: true, | ||
| }); |
There was a problem hiding this comment.
This is the same thing as
| const o = { | |
| foo: "bar", | |
| }; | |
| // override constructor as an enumerable property | |
| Object.defineProperty(o, "constructor", { | |
| value: new Date(0), | |
| enumerable: true, | |
| }); | |
| const o = { | |
| foo: "bar", | |
| constructor: new Date(0), | |
| }; |
| throws(() => { | ||
| decode(encoded); | ||
| }, DecodeError); |
There was a problem hiding this comment.
Instead of just testing that it fails to decode, you should've instead tested that, even in the hostile environment where you've imagined a current security issue, the library does not trigger it.
|
Alternatively, on msgpack-javascript/src/Decoder.ts Line 664 in dd2190b you can just use |
4 participants
Added constructor and prototype to the not allowed keys