tools: add ArrayPrototypeConcat to the list of primordials to avoid

nodejs · Aug 29, 2022 · 7bd6d34 · 7bd6d34
1 parent 4f4d394
commit 7bd6d34
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/test/parallel/test-eslint-avoid-prototype-pollution.js b/test/parallel/test-eslint-avoid-prototype-pollution.js
@@ -246,5 +246,9 @@ new RuleTester({
         code: 'PromiseRace([])',
         errors: [{ message: /\bSafePromiseRace\b/ }]
       },
+      {
+        code: 'ArrayPrototypeConcat([])',
+        errors: [{ message: /\bisConcatSpreadable\b/ }]
+      },
     ]
   });
diff --git a/tools/eslint-rules/avoid-prototype-pollution.js b/tools/eslint-rules/avoid-prototype-pollution.js
@@ -188,6 +188,14 @@ module.exports = {
           message: `Use Safe${node.callee.name} instead of ${node.callee.name}`,
         });
       },
+
+      [CallExpression('ArrayPrototypeConcat')](node) {
+        context.report({
+          node,
+          message: '%Array.prototype.concat% looks up `@@isConcatSpreadable` ' +
+                   'which can be subject to prototype pollution',
+        });
+      },
     };
   },
 };