-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Further harden against polluted properties #1285
Merged
Merged
Commits on Nov 7, 2023
-
Protect against polluted properties internally
Update the internals of the project to protect against the potential of polluted properties based on manual evaluation of the source code. Re- use the `hasOwn` function from `options.js` (moved to `reflection.js`) to achieve this. - `executables.js`: Explicitly check that `PATH` (or `Path`) isn't being inherited. This is the most obvious place where this is necessary as the code already accounts for the potential of `PATH` being undefined. - `platforms.js`: Safely get `OSTYPE` in case it isn't defined in order to avoid wrongly concluding the current system is a Windows system as a result of a polluted `OSTYPE` value. - `win.js`: Safely get `ComSpec` in case it isn't defined (already taken into account as well) to avoid using a default shell defined by a polluted property.
Configuration menu - View commit details
-
Copy full SHA for 3b9251b - Browse repository at this point
Copy the full SHA 3b9251bView commit details
Commits on Nov 8, 2023
-
Update unit test suite for
executables.js
- Test that when `PATH` and `Path` are missing, no path is given to `which`. - Test that a polluted `PATH` value is not used. - Test that a polluted `Path` value is not used. - Simplify existing tests that unnecessarily require `PATH` and `Path` to be present on the path.
Configuration menu - View commit details
-
Copy full SHA for e553a73 - Browse repository at this point
Copy the full SHA e553a73View commit details -
Configuration menu - View commit details
-
Copy full SHA for d33f60b - Browse repository at this point
Copy the full SHA d33f60bView commit details -
Configuration menu - View commit details
-
Copy full SHA for 0dcbb51 - Browse repository at this point
Copy the full SHA 0dcbb51View commit details -
Update unit test suite for
win.js
Test that a polluted `ComSpec` value is not used. Also, improve upon [1] by - Not requiring non-empty PATH strings - Improving test titles for newly added tests for the `executables.js` test suite. -- 1. e553a73
Configuration menu - View commit details
-
Copy full SHA for 7ec2e34 - Browse repository at this point
Copy the full SHA 7ec2e34View commit details
Commits on Nov 11, 2023
-
Configuration menu - View commit details
-
Copy full SHA for ee9bdbc - Browse repository at this point
Copy the full SHA ee9bdbcView commit details -
Add preconditions to polluted value tests
Otherwise they may fail. No matter how unlikely, we don't want these tests to be flaky in practice. I've opted to use `fc` within an AVA `test` over `testProp` because `fc.pre()` does not seem to work with `testProp` (test fails if check fails, instead of skipping it) and I think using `fc.pre()` is more expressive than filtering the arbitrary (though it has the same result and does work with `testProp`).
Configuration menu - View commit details
-
Copy full SHA for 6788559 - Browse repository at this point
Copy the full SHA 6788559View commit details
Commits on Nov 12, 2023
-
- Correct OSTYPE pollution test, arbitrary values were ordered incorrect - Improve ComSpec pollution test, include when ComSpec is defined - Cover scenario where a value is both defined and polluted by
Configuration menu - View commit details
-
Copy full SHA for 778e313 - Browse repository at this point
Copy the full SHA 778e313View commit details -
Configuration menu - View commit details
-
Copy full SHA for f46a0f3 - Browse repository at this point
Copy the full SHA f46a0f3View commit details
Commits on Nov 19, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 14ad5fc - Browse repository at this point
Copy the full SHA 14ad5fcView commit details -
Configuration menu - View commit details
-
Copy full SHA for 781c6b2 - Browse repository at this point
Copy the full SHA 781c6b2View commit details
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.