Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v16.x backport] tools: add avoid-prototype-pollution lint rule #44081

Closed
wants to merge 4 commits into from
Closed

[v16.x backport] tools: add avoid-prototype-pollution lint rule #44081

wants to merge 4 commits into from

Commits on Aug 1, 2022

  1. tools: add avoid-prototype-pollution lint rule 

    PR-URL: nodejs#43308
Reviewed-By: Rich Trott <rtrott@gmail.com>
    @aduh95
    aduh95 committed Aug 1, 2022
    Configuration menu
    Copy the full SHA
    0f489bc View commit details
    Browse the repository at this point in the history

  2. tools: report unsafe string and regex primordials as lint errors 

    | The string method             | looks up the property |
| ----------------------------- | --------------------- |
| `String.prototype.match`      | `Symbol.match`        |
| `String.prototype.matchAll`   | `Symbol.matchAll`     |
| `String.prototype.replace`    | `Symbol.replace`      |
| `String.prototype.replaceAll` | `Symbol.replace`      |
| `String.prototype.search`     | `Symbol.search`       |
| `String.prototype.split`      | `Symbol.split`        |

Functions that lookup the `exec` property on the prototype chain:

* `RegExp.prototype[Symbol.match]`
* `RegExp.prototype[Symbol.matchAll]`
* `RegExp.prototype[Symbol.replace]`
* `RegExp.prototype[Symbol.search]`
* `RegExp.prototype[Symbol.split]`
* `RegExp.prototype.test`

`RegExp.prototype[Symbol.replace]` and `RegExp.prototype[Symbol.split]`
are still allowed for a lack of a better solution.

PR-URL: nodejs#43393
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
    @aduh95
    aduh95 committed Aug 1, 2022
    Configuration menu
    Copy the full SHA
    e0b41a5 View commit details
    Browse the repository at this point in the history

  3. tools,doc: add guards against prototype pollution when creating proxies 

    PR-URL: nodejs#43391
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: LiviaMedeiros <livia@cirno.name>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
    @aduh95
    aduh95 committed Aug 1, 2022
    Configuration menu
    Copy the full SHA
    4327ff8 View commit details
    Browse the repository at this point in the history

  4. lib: refactor to avoid unsafe regex primordials 

    PR-URL: nodejs#43475
Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
    @aduh95
    aduh95 committed Aug 1, 2022
    Configuration menu
    Copy the full SHA
    9994a1b View commit details
    Browse the repository at this point in the history