feat: use Map rather than Object for internal result properties #57
Conversation
There was a problem hiding this comment.
I like this change, I think it would be worth adding a few unit tests that demonstrate that we're protected from a prototype pollution, here are some specific test cases added for yargs to address security issues:
yargs/yargs-parser#258
yargs/yargs-parser#234
https://github.com/yargs/y18n/blob/master/test/y18n-test.cjs#L356
| flags: {}, | ||
| values: {}, | ||
| flags: new Map(), | ||
| values: new Map(), |
There was a problem hiding this comment.
These need to use SafeMap instead - and, then they don’t have to use the prototype primordials.
(If they don’t, then the ObjectFromEntries call isn’t safe, because of Map.prototype[Symbol.iterator])
There was a problem hiding this comment.
(@shadowspawn note, you can just import SafeMap from primordials).
|
Thanks for feedback. I'll start again rather than leave this open, as it may be a couple of weeks before I have time. |
This came out of discussion around potential for prototype pollution. Use a Map rather than Object internally. Convert to Object for returning to client.
See #32 (comment)
(Why not use
Setforflags? Could, but a little easier to convert fromMaptoObject!)