Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

util: harden more built-in classes against prototype pollution #56225

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

util: harden more built-in classes against prototype pollution #56225

wants to merge 2 commits into from
+66 −4

Conversation

aduh95
Copy link
Contributor

@aduh95 aduh95 commented Dec 11, 2024
edited
Loading

For an arbitrary list of classes, we can protect against userland mutation of the constructor prototype property, and speed up the inspect call by avoiding a ObjectGetOwnPropertyDescriptor call. I tried to come up with a list of classes that are the most likely to be often inspected, though I haven't used any rigorous method, I just came up with it, and I'm certainly open to add/remove some.

Refs: #56188 (comment)

@nodejs-github-bot nodejs-github-bot added buffer Issues and PRs related to the buffer subsystem. needs-ci PRs that need a full CI run. util Issues and PRs related to the built-in util module. labels Dec 11, 2024
@codecov Codecov
Copy link

codecov bot commented Dec 11, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 88.53%. Comparing base (4a91507) to head (1beb43b).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #56225   +/-   ##
=======================================
  Coverage   88.53%   88.53%           
=======================================
  Files         657      657           
  Lines      189880   189901   +21     
  Branches    36453    36455    +2     
=======================================
+ Hits       168104   168134   +30     
+ Misses      14988    14973   -15     
- Partials     6788     6794    +6
Files with missing lines Coverage Δ
lib/buffer.js 100.00% <100.00%> (ø)
lib/internal/util/inspect.js 99.91% <100.00%> (+<0.01%) ⬆️

... and 41 files with indirect coverage changes

ljharb
ljharb approved these changes Dec 11, 2024
View reviewed changes
lib/internal/util/inspect.js
@@ -599,8 +608,13 @@ function isInstanceof(object, proto) {

// Special-case for some builtin prototypes in case their `constructor` property has been tampered.
const wellKnownPrototypes = new SafeMap();
Copy link
Member

@ljharb ljharb Dec 11, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
const wellKnownPrototypes = new SafeMap();
const wellKnownPrototypes = new SafeWeakMap();

not sure if this affects performance or not - since the builtins aren't expected to be collected it probably doesn't matter either way, so stick with whatever's faster.

lib/buffer.js Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ljharb ljharb ljharb approved these changes

Assignees
No one assigned
Labels
buffer Issues and PRs related to the buffer subsystem. needs-ci PRs that need a full CI run. util Issues and PRs related to the built-in util module.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aduh95 @ljharb @nodejs-github-bot