Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIX Protect against object prototype pollution #879

Merged
merged 2 commits into from
Jul 25, 2019
Merged

FIX Protect against object prototype pollution #879

merged 2 commits into from
Jul 25, 2019

Conversation

dhensby
Copy link
Collaborator

@dhensby dhensby commented Jun 6, 2019

What this does:

Fixes #261

@dhensby dhensby requested a review from willmorgan June 6, 2019 15:26
@dhensby dhensby mentioned this pull request Jun 6, 2019
Closed
@dhensby dhensby force-pushed the pulls/fix-261-protect-against-object-prototype-pollution branch from 6342a92 to 448aaf0 Compare June 7, 2019 10:40
willmorgan
willmorgan requested changes Jun 8, 2019
View reviewed changes
Copy link
Collaborator

@willmorgan willmorgan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Builtin prototype extension is a bad idea so while we should guard against security related implications, this does look ugly.

I wonder if we should put this check in a function rather than peppering it everywhere?

@dhensby
Copy link
Collaborator Author

dhensby commented Jun 8, 2019

I wonder if we should put this check in a function rather than peppering it everywhere?

We'd replace one function with another 1 line function, which would have to be peppered about, so I'm not clear on the advantage of doing that

this does look ugly.

The alternative is to change how we iterate through the properties of an object, just Object.keys() maybe? But I don't really see that being too much nicer - we're still mitigating bad code, but that's kid of our job as a library.

@willmorgan
Copy link
Collaborator

We'd replace one function with another 1 line function, which would have to be peppered about, so I'm not clear on the advantage of doing that

I think a function named safeIterateParameters would be a bit more descriptive for future travellers.

@dhensby
Copy link
Collaborator Author

dhensby commented Jun 10, 2019

I think a function named safeIterateParameters would be a bit more descriptive for future travellers.

I'm not sure that's going to be any clearer - that means a future dev will have to go and look at what the function does (not a lot) rather than just see a single inline call to hasOwnProperty

It's also oddly specific, what if we want to 'safely iterate' over another object?

@willmorgan
Copy link
Collaborator

Shrug.

@willmorgan willmorgan merged commit f8912dd into tediousjs:master Jul 25, 2019
@dhensby dhensby deleted the pulls/fix-261-protect-against-object-prototype-pollution branch July 25, 2019 11:03
@snyk-bot snyk-bot mentioned this pull request Mar 21, 2020
Open
@thegoatherder thegoatherder mentioned this pull request Sep 16, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@willmorgan willmorgan willmorgan approved these changes

@josealexandre josealexandre josealexandre approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

TypeError => 'validate' of undefined (prototype leakage)
3 participants
@dhensby @willmorgan @josealexandre