Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid hitting __proto__ in _inheritsLoose #12693

Merged
merged 1 commit into from Jan 26, 2021

Conversation

ChALkeR
Copy link
Contributor

@ChALkeR ChALkeR commented Jan 26, 2021

Q                       A
Fixed Issues? Not filed, see description below.
Patch: Bug Fix? Yes
Major: Breaking Change? No
Minor: New Feature? No
Tests Added + Pass? Yes (updated existing tests)
Documentation PR Link None
Any Dependency Changes? None
License MIT

This avoids hitting __proto__ for hardened environments where __proto__ is disabled.

See discussion in nodejs/node#31951 and these changes: nodejs/node#32279, denoland/deno#4341.

Note that per spec, __proto__ is defined in section B.2.2 (Additional ECMAScript Features for Web Browsers → B.2.2 Additional Properties of the Object.prototype Object), which is optional for non-browsers:

The ECMAScript language syntax and semantics defined in this annex are required when the ECMAScript host is a web browser. The content of this annex is normative but optional if the ECMAScript host is not a web browser.

Class transforms should not rely on __proto__ to be present, as classes are defined in section 14.6.

To check that this works, run with: NODE_OPTIONS=--disable-proto=throw before and after this change (or any generated output.js files in loose mode):

[chalker@workstation babel]$ git checkout main  
Switched to branch 'main'
Your branch is up to date with 'origin/main'.
[chalker@workstation babel]$ NODE_OPTIONS=--disable-proto=throw node ./packages/babel-plugin-transform-classes/test/fixtures/extend-builtins/loose/output.js
/home/chalker/repo/babel/packages/babel-plugin-transform-classes/test/fixtures/extend-builtins/loose/output.js:1
function _inheritsLoose(subClass, superClass) { subClass.prototype = Object.create(superClass.prototype); subClass.prototype.constructor = subClass; subClass.__proto__ = superClass; }
                                                                                                                                                                        ^

Error: Accessing Object.prototype.__proto__ has been disallowed with --disable-proto=throw
    at _inheritsLoose (/home/chalker/repo/babel/packages/babel-plugin-transform-classes/test/fixtures/extend-builtins/loose/output.js:1:169)
    at /home/chalker/repo/babel/packages/babel-plugin-transform-classes/test/fixtures/extend-builtins/loose/output.js:18:3
    at Object.<anonymous> (/home/chalker/repo/babel/packages/babel-plugin-transform-classes/test/fixtures/extend-builtins/loose/output.js:25:2)
    at Module._compile (internal/modules/cjs/loader.js:1137:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1157:10)
    at Module.load (internal/modules/cjs/loader.js:985:32)
    at Function.Module._load (internal/modules/cjs/loader.js:878:14)
    at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:71:12)
    at internal/main/run_main_module.js:17:47 {
  code: 'ERR_PROTO_ACCESS'
}
[chalker@workstation babel]$ git checkout chalker/set-proto
Switched to branch 'chalker/set-proto'
Your branch is up to date with 'chalker/chalker/set-proto'.
[chalker@workstation babel]$ NODE_OPTIONS=--disable-proto=throw node ./packages/babel-plugin-transform-classes/test/fixtures/extend-builtins/loose/output.js
[chalker@workstation babel]$

I believe this could be a semver-patch or a semver-minor for v7.

Note: before v7, this was not the only place which hit __proto__, but #7675 resolved the other one in v7.

@babel-bot
Copy link
Collaborator

babel-bot commented Jan 26, 2021

Build successful! You can test your changes in the REPL here: https://babeljs.io/repl/build/38453/

@codesandbox-ci
Copy link

codesandbox-ci bot commented Jan 26, 2021

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Latest deployment of this branch, based on commit f792449:

Sandbox Source
babel-repl-custom-plugin Configuration
babel-plugin-multi-config Configuration

Copy link
Contributor

@JLHwung JLHwung left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@JLHwung JLHwung added area: helpers PR: Bug Fix 🐛 A type of pull request used for our changelog categories labels Jan 26, 2021
@nicolo-ribaudo nicolo-ribaudo merged commit 9907bd8 into babel:main Jan 26, 2021
@github-actions github-actions bot added the outdated A closed issue/PR that is archived due to age. Recommended to make a new issue label Apr 28, 2021
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 28, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area: helpers outdated A closed issue/PR that is archived due to age. Recommended to make a new issue PR: Bug Fix 🐛 A type of pull request used for our changelog categories
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants