module: protect against prototype mutation

Ensures that mutating the `Object` prototype does not influence the parsing of `package.json` files. PR-URL: #44007 Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
nodejs · Oct 11, 2022 · b665171 · b665171
1 parent 1022ece
commit b665171
Show file tree

Hide file tree

Showing 8 changed files with 96 additions and 15 deletions.
diff --git a/lib/internal/modules/cjs/helpers.js b/lib/internal/modules/cjs/helpers.js
@@ -24,6 +24,7 @@ const path = require('path');
 const { pathToFileURL, fileURLToPath, URL } = require('internal/url');
 
 const { getOptionValue } = require('internal/options');
+const { setOwnProperty } = require('internal/util');
 const userConditions = getOptionValue('--conditions');
 
 let debug = require('internal/util/debuglog').debuglog('module', (fn) => {
@@ -117,7 +118,7 @@ function makeRequireFunction(mod, redirects) {
 
   resolve.paths = paths;
 
-  require.main = process.mainModule;
+  setOwnProperty(require, 'main', process.mainModule);
 
   // Enable support to add extra extension types.
   require.extensions = Module._extensions;

diff --git a/lib/internal/modules/cjs/loader.js b/lib/internal/modules/cjs/loader.js
@@ -79,7 +79,7 @@ const {
   maybeCacheSourceMap,
 } = require('internal/source_map/source_map_cache');
 const { pathToFileURL, fileURLToPath, isURLInstance } = require('internal/url');
-const { deprecate, kEmptyObject } = require('internal/util');
+const { deprecate, kEmptyObject, filterOwnProperties, setOwnProperty } = require('internal/util');
 const vm = require('vm');
 const assert = require('internal/assert');
 const fs = require('fs');
@@ -172,7 +172,7 @@ const moduleParentCache = new SafeWeakMap();
 function Module(id = '', parent) {
   this.id = id;
   this.path = path.dirname(id);
-  this.exports = {};
+  setOwnProperty(this, 'exports', {});
   moduleParentCache.set(this, parent);
   updateChildren(parent, this, false);
   this.filename = null;
@@ -312,14 +312,13 @@ function readPackage(requestPath) {
   }
 
   try {
-    const parsed = JSONParse(json);
-    const filtered = {
-      name: parsed.name,
-      main: parsed.main,
-      exports: parsed.exports,
-      imports: parsed.imports,
-      type: parsed.type
-    };
+    const filtered = filterOwnProperties(JSONParse(json), [
+      'name',
+      'main',
+      'exports',
+      'imports',
+      'type',
+    ]);
     packageJsonCache.set(jsonPath, filtered);
     return filtered;
   } catch (e) {
@@ -1191,7 +1190,7 @@ Module._extensions['.json'] = function(module, filename) {
   }
 
   try {
-    module.exports = JSONParse(stripBOM(content));
+    setOwnProperty(module, 'exports', JSONParse(stripBOM(content)));
   } catch (err) {
     err.message = filename + ': ' + err.message;
     throw err;

diff --git a/lib/internal/modules/esm/package_config.js b/lib/internal/modules/esm/package_config.js
@@ -2,6 +2,7 @@
 
 const {
   JSONParse,
+  ObjectPrototypeHasOwnProperty,
   SafeMap,
   StringPrototypeEndsWith,
 } = primordials;
@@ -11,6 +12,7 @@ const {
 } = require('internal/errors').codes;
 
 const packageJsonReader = require('internal/modules/package_json_reader');
+const { filterOwnProperties } = require('internal/util');
 
 
 /**
@@ -66,8 +68,8 @@ function getPackageConfig(path, specifier, base) {
     );
   }
 
-  let { imports, main, name, type } = packageJSON;
-  const { exports } = packageJSON;
+  let { imports, main, name, type } = filterOwnProperties(packageJSON, ['imports', 'main', 'name', 'type']);
+  const exports = ObjectPrototypeHasOwnProperty(packageJSON, 'exports') ? packageJSON.exports : undefined;
   if (typeof imports !== 'object' || imports === null) {
     imports = undefined;
   }

diff --git a/lib/internal/util.js b/lib/internal/util.js
@@ -14,6 +14,7 @@ const {
   ObjectGetOwnPropertyDescriptors,
   ObjectGetPrototypeOf,
   ObjectFreeze,
+  ObjectPrototypeHasOwnProperty,
   ObjectSetPrototypeOf,
   Promise,
   ReflectApply,
@@ -518,6 +519,35 @@ ObjectFreeze(kEnumerableProperty);
 
 const kEmptyObject = ObjectFreeze(ObjectCreate(null));
 
+function filterOwnProperties(source, keys) {
+  const filtered = ObjectCreate(null);
+  for (let i = 0; i < keys.length; i++) {
+    const key = keys[i];
+    if (ObjectPrototypeHasOwnProperty(source, key)) {
+      filtered[key] = source[key];
+    }
+  }
+
+  return filtered;
+}
+
+/**
+ * Mimics `obj[key] = value` but ignoring potential prototype inheritance.
+ * @param {any} obj
+ * @param {string} key
+ * @param {any} value
+ * @returns {any}
+ */
+function setOwnProperty(obj, key, value) {
+  return ObjectDefineProperty(obj, key, {
+    __proto__: null,
+    configurable: true,
+    enumerable: true,
+    value,
+    writable: true,
+  });
+}
+
 module.exports = {
   assertCrypto,
   cachedResult,
@@ -530,6 +560,7 @@ module.exports = {
   emitExperimentalWarning,
   exposeInterface,
   filterDuplicateStrings,
+  filterOwnProperties,
   getConstructorOf,
   getSystemErrorMap,
   getSystemErrorName,
@@ -560,4 +591,5 @@ module.exports = {
 
   kEmptyObject,
   kEnumerableProperty,
+  setOwnProperty,
 };
diff --git a/test/fixtures/es-module-specifiers/index.mjs b/test/fixtures/es-module-specifiers/index.mjs
@@ -1,10 +1,11 @@
 import explicit from 'explicit-main';
 import implicit from 'implicit-main';
 import implicitModule from 'implicit-main-type-module';
+import noMain from 'no-main-field';
 
 function getImplicitCommonjs () {
   return import('implicit-main-type-commonjs');
 }
 
-export {explicit, implicit, implicitModule, getImplicitCommonjs};
+export {explicit, implicit, implicitModule, getImplicitCommonjs, noMain};
 export default 'success';
diff --git a/test/fixtures/es-module-specifiers/node_modules/no-main-field/index.js b/test/fixtures/es-module-specifiers/node_modules/no-main-field/index.js
diff --git a/test/fixtures/es-module-specifiers/node_modules/no-main-field/package.json b/test/fixtures/es-module-specifiers/node_modules/no-main-field/package.json
diff --git a/test/parallel/test-module-prototype-mutation.js b/test/parallel/test-module-prototype-mutation.js
@@ -0,0 +1,43 @@
+'use strict';
+const common = require('../common');
+const fixtures = require('../common/fixtures');
+const assert = require('assert');
+
+Object.defineProperty(Object.prototype, 'name', {
+  __proto__: null,
+  get: common.mustNotCall('get %Object.prototype%.name'),
+  set: common.mustNotCall('set %Object.prototype%.name'),
+  enumerable: false,
+});
+Object.defineProperty(Object.prototype, 'main', {
+  __proto__: null,
+  get: common.mustNotCall('get %Object.prototype%.main'),
+  set: common.mustNotCall('set %Object.prototype%.main'),
+  enumerable: false,
+});
+Object.defineProperty(Object.prototype, 'type', {
+  __proto__: null,
+  get: common.mustNotCall('get %Object.prototype%.type'),
+  set: common.mustNotCall('set %Object.prototype%.type'),
+  enumerable: false,
+});
+Object.defineProperty(Object.prototype, 'exports', {
+  __proto__: null,
+  get: common.mustNotCall('get %Object.prototype%.exports'),
+  set: common.mustNotCall('set %Object.prototype%.exports'),
+  enumerable: false,
+});
+Object.defineProperty(Object.prototype, 'imports', {
+  __proto__: null,
+  get: common.mustNotCall('get %Object.prototype%.imports'),
+  set: common.mustNotCall('set %Object.prototype%.imports'),
+  enumerable: false,
+});
+
+assert.strictEqual(
+  require(fixtures.path('es-module-specifiers', 'node_modules', 'no-main-field')),
+  'no main field'
+);
+
+import(fixtures.fileURL('es-module-specifiers', 'index.mjs'))
+  .then(common.mustCall((module) => assert.strictEqual(module.noMain, 'no main field')));