-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix no-prototype-builtins bug in debug node and utils #3394
Fix no-prototype-builtins bug in debug node and utils #3394
Conversation
`msg.hasOwnProperty("status")` might make the debug node crash/produce an error if the payload was created with `Object.create(null)`. This is the case e.g. for `ini` (to parse INI files), an official NPM node: https://github.com/npm/ini/blob/4f289946b3bf95f144e849d771f64e4f2aa2737c/lib/ini.js#L63 My Node-RED node `node-red-contrib-parser-ini`, which is using that library, was hit by this bug and I had to ship a workaround https://github.com/alexandrainst/node-red-contrib-parser-ini/blob/fe6b1eb4b18fd54459e2505b1c2f54eb0a9c9fec/parser-ini.js#L14 The `msg.hasOwnProperty("xxx")` construct should not be used since ECMAScript 5.1. ESLint advises in the same direction https://eslint.org/docs/rules/no-prototype-builtins This patch was produced using the following regex: Search: `\b([\w.]+).hasOwnProperty\(` Replace: `Object.prototype.hasOwnProperty.call($1, ` This could be applied more gobally if desired.
Such a fix might incidently be slightly helpful for bugs such as #2780 |
Another example: Same bug, but with overriding [
{
"id": "15a1b09eda5613f2",
"type": "inject",
"z": "d9a661f4.ef966",
"name": "",
"props": [
{
"p": "payload"
}
],
"repeat": "",
"crontab": "",
"once": false,
"onceDelay": 0.1,
"topic": "",
"payload": "{\"Hello\":\"World\",\"hasOwnProperty\":null}",
"payloadType": "json",
"x": 120,
"y": 1200,
"wires": [
[
"bdca2d4e9b10cdd7"
]
]
},
{
"id": "bdca2d4e9b10cdd7",
"type": "debug",
"z": "d9a661f4.ef966",
"name": "",
"active": true,
"tosidebar": true,
"console": false,
"tostatus": true,
"complete": "payload",
"targetType": "msg",
"statusVal": "payload",
"statusType": "auto",
"x": 290,
"y": 1200,
"wires": []
}
] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. Thanks for the fix - with unit tests! All the better for it.
One small issue with the jsdoc - we don't want internal functions showing up in the generated doc for users.
I passed the tests locally with Node.js 12. I am not sure why the CI fails. Looks unrelated? |
Yup - unrelated test failure. |
Nick, for future reference, should we mark any internal APIs with REF: https://jsdoc.app/tags-private.html
That way re can decorate the functions with info to assist at development time? |
Proposed changes
Allows messages containing objects with no prototype built-in to be send to a debug node without crashing.
In
utils.js
, constructs such asmsg.msg.constructor.name
will crash whenmsg.msg.constructor
is null, for instance as a result ofObject.create(null)
.In
21_debug.js
, constructs such asmsg.hasOwnProperty("status")
might make the debug node crash/produce an error if the payload was created withObject.create(null)
.This is the case e.g. for
ini
(to parse INI files), an official NPM node:https://github.com/npm/ini/blob/4f289946b3bf95f144e849d771f64e4f2aa2737c/lib/ini.js#L63
My Node-RED node
node-red-contrib-parser-ini
, which is using that library, was hit by this bug and I had to ship a workaroundhttps://github.com/alexandrainst/node-red-contrib-parser-ini/blob/fe6b1eb4b18fd54459e2505b1c2f54eb0a9c9fec/parser-ini.js#L14 to make it work with the default output
msg.payload
of the debug node.The
msg.hasOwnProperty("xxx")
construct should not be used since ECMAScript 5.1, and there is no guarantee thatobj.constructor
exists.ESLint advises in the same direction https://eslint.org/docs/rules/no-prototype-builtins
This patch was produced using the following regex:
Search:
\b([\w.]+).hasOwnProperty\(
Replace:
hasOwnProperty.call($1,
This could be applied more globally if desired.
Checklist
grunt
to verify the unit tests pass