esm: protect ESM loader from prototype pollution #45175
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In a previous commit, the loader implementation was modified to be protected against most prototype pollution, but was kept vulnerable to `Array.prototype` pollution. This commit fixes that, the tradeoff is that it modifies the `ESMLoader.prototype.import` return type from an `Array` to an array-like object. Refs: nodejs#45044
|
Review requested:
|
nodejs-github-bot
added
lib / src
ljharb
suggested changes
Oct 25, 2022
ljharb
reviewed
Oct 25, 2022
ljharb
approved these changes
Oct 26, 2022
GeoffreyBooth
approved these changes
Oct 26, 2022
There was a problem hiding this comment.
LGTM.
Out of scope for this PR, but should we have tests that things like our primordial PromisePrototypeAll behaves equivalently to Promise.all? Maybe an identical expected result from each in a test, where we wouldn’t have to worry about prototype pollution?
aduh95
added
author ready
github-actions
bot
removed
the
request-ci
This comment was marked as outdated.
This comment was marked as outdated.
aduh95
commented
Oct 26, 2022
13 tasks
anonrig
approved these changes
Oct 27, 2022
aduh95
added
commit-queue
nodejs-github-bot
removed
the
commit-queue
|
Landed in 2e2dc99 |
5 tasks
10 tasks
This was referenced Oct 29, 2022
RafaelGSS
pushed a commit
that referenced
this pull request
Nov 1, 2022
In a previous commit, the loader implementation was modified to be protected against most prototype pollution, but was kept vulnerable to `Array.prototype` pollution. This commit fixes that, the tradeoff is that it modifies the `ESMLoader.prototype.import` return type from an `Array` to an array-like object. Refs: #45044 PR-URL: #45175 Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Merged
RafaelGSS
pushed a commit
that referenced
this pull request
Nov 10, 2022
In a previous commit, the loader implementation was modified to be protected against most prototype pollution, but was kept vulnerable to `Array.prototype` pollution. This commit fixes that, the tradeoff is that it modifies the `ESMLoader.prototype.import` return type from an `Array` to an array-like object. Refs: #45044 PR-URL: #45175 Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
danielleadams
pushed a commit
that referenced
this pull request
Dec 30, 2022
In a previous commit, the loader implementation was modified to be protected against most prototype pollution, but was kept vulnerable to `Array.prototype` pollution. This commit fixes that, the tradeoff is that it modifies the `ESMLoader.prototype.import` return type from an `Array` to an array-like object. Refs: #45044 PR-URL: #45175 Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
danielleadams
pushed a commit
that referenced
this pull request
Dec 30, 2022
In a previous commit, the loader implementation was modified to be protected against most prototype pollution, but was kept vulnerable to `Array.prototype` pollution. This commit fixes that, the tradeoff is that it modifies the `ESMLoader.prototype.import` return type from an `Array` to an array-like object. Refs: #45044 PR-URL: #45175 Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
danielleadams
pushed a commit
that referenced
this pull request
Jan 3, 2023
In a previous commit, the loader implementation was modified to be protected against most prototype pollution, but was kept vulnerable to `Array.prototype` pollution. This commit fixes that, the tradeoff is that it modifies the `ESMLoader.prototype.import` return type from an `Array` to an array-like object. Refs: #45044 PR-URL: #45175 Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
alan-agius4
added a commit
to alan-agius4/angular
that referenced
this pull request
Jun 2, 2023
In angular#49144 we introduced a change to only path `Promise.prototype.then` due to Node.js `SafePromise` complaining about `Promise.prototype.then` called on incompatible receiver. This however introduced a number of regressions. This commit reverts this change and re-introduces the changes to path the entire promise on Node. The original problem `SafePromise` problem is no longer reproducible as of Node.js version 18.13+ as it was addressed as part of nodejs/node#45175 While the Angular CLI does not yet generate ESM server bundles, users using ESM with dynamic imports will require using Node.js 18.13 or later. Closes angular#50513, closes angular#50457, closes angular#50414 and closes angular#49930
alan-agius4
added a commit
to alan-agius4/angular
that referenced
this pull request
Jun 2, 2023
In angular#49144 we introduced a change to only path `Promise.prototype.then` due to Node.js `SafePromise` complaining about `Promise.prototype.then` called on incompatible receiver. This however introduced a number of regressions. This commit reverts this change and re-introduces the changes to patch the entire promise on Node. The original `SafePromise` problem is no longer reproducible as of Node.js version 18.13+ as it was addressed as part of nodejs/node#45175. While the Angular CLI does not yet generate ESM server bundles, users using ESM with dynamic imports will require using Node.js 18.13 or later. Closes angular#50513, closes angular#50457, closes angular#50414 and closes angular#49930
alan-agius4
added a commit
to alan-agius4/angular
that referenced
this pull request
Jun 2, 2023
In angular#49144 we introduced a change to only path `Promise.prototype.then` due to Node.js `SafePromise` complaining about `Promise.prototype.then` called on incompatible receiver. This however introduced a number of regressions. This commit reverts this change and re-introduces the changes to patch the entire promise on Node. The original `SafePromise` problem is no longer reproducible as of Node.js version 18.13+ as it was addressed as part of nodejs/node#45175. While the Angular CLI does not yet generate ESM server bundles, users using ESM with dynamic imports will require using Node.js 18.13 or later. Closes angular#50513, closes angular#50457, closes angular#50414 and closes angular#49930
alxhub
pushed a commit
to angular/angular
that referenced
this pull request
Jun 2, 2023
In #49144 we introduced a change to only path `Promise.prototype.then` due to Node.js `SafePromise` complaining about `Promise.prototype.then` called on incompatible receiver. This however introduced a number of regressions. This commit reverts this change and re-introduces the changes to patch the entire promise on Node. The original `SafePromise` problem is no longer reproducible as of Node.js version 18.13+ as it was addressed as part of nodejs/node#45175. While the Angular CLI does not yet generate ESM server bundles, users using ESM with dynamic imports will require using Node.js 18.13 or later. Closes #50513, closes #50457, closes #50414 and closes #49930 PR Close #50552
alxhub
pushed a commit
to angular/angular
that referenced
this pull request
Jun 2, 2023
In #49144 we introduced a change to only path `Promise.prototype.then` due to Node.js `SafePromise` complaining about `Promise.prototype.then` called on incompatible receiver. This however introduced a number of regressions. This commit reverts this change and re-introduces the changes to patch the entire promise on Node. The original `SafePromise` problem is no longer reproducible as of Node.js version 18.13+ as it was addressed as part of nodejs/node#45175. While the Angular CLI does not yet generate ESM server bundles, users using ESM with dynamic imports will require using Node.js 18.13 or later. Closes #50513, closes #50457, closes #50414 and closes #49930 PR Close #50552
thomasturrell
pushed a commit
to thomasturrell/angular
that referenced
this pull request
Aug 29, 2023
In angular#49144 we introduced a change to only path `Promise.prototype.then` due to Node.js `SafePromise` complaining about `Promise.prototype.then` called on incompatible receiver. This however introduced a number of regressions. This commit reverts this change and re-introduces the changes to patch the entire promise on Node. The original `SafePromise` problem is no longer reproducible as of Node.js version 18.13+ as it was addressed as part of nodejs/node#45175. While the Angular CLI does not yet generate ESM server bundles, users using ESM with dynamic imports will require using Node.js 18.13 or later. Closes angular#50513, closes angular#50457, closes angular#50414 and closes angular#49930 PR Close angular#50552
ChellappanRajan
pushed a commit
to ChellappanRajan/angular
that referenced
this pull request
Jan 23, 2024
In angular#49144 we introduced a change to only path `Promise.prototype.then` due to Node.js `SafePromise` complaining about `Promise.prototype.then` called on incompatible receiver. This however introduced a number of regressions. This commit reverts this change and re-introduces the changes to patch the entire promise on Node. The original `SafePromise` problem is no longer reproducible as of Node.js version 18.13+ as it was addressed as part of nodejs/node#45175. While the Angular CLI does not yet generate ESM server bundles, users using ESM with dynamic imports will require using Node.js 18.13 or later. Closes angular#50513, closes angular#50457, closes angular#50414 and closes angular#49930 PR Close angular#50552
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In a previous commit, the loader implementation was modified to be protected against most prototype pollution, but was kept vulnerable to
Array.prototypepollution. This commit fixes that, the tradeoff is that it modifies theESMLoader.prototype.importreturn type from anArrayto an array-like object.FWIW I don't expect changing the return type of
ESMLoader.prototype.importto have any kind of unforeseen consequences, and I don't think it's exposed to user land in any way. //cc @nodejs/loadersRefs: #45044