fix(security): improve results object creation

[wellwelwel]

Finishing the tasks started in #2424 (and #2572).

This PR ensures a clean object evaluation for every item in results.

This is the final evaluation for both text and binary parsers:

const result = Object.create(null);

Object.defineProperty(result, 'constructor', {
  value: Object.create(null),
  writable: false,
  configurable: false,
  enumerable: false
});

// ...

// nestTables
if (!result[${tableName}]) result[${tableName}] = Object.create(null);

I also tried a simple Object.freeze(result.prototype), but the unit tests (specific to this) didn't pass as expected 🔓

---

Note

These changes preserve security without affecting the end user:

const [results] = await connection.query('SELECT 1+1 AS `test`'); // or execute

results[0].test.toFixed(2); // '2.00' ✅
results[0].addCustomProp = true; // true ✅

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 90.32%. Comparing base (71115d8) to head (7e1a7e6).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #2574   +/-   ##
=======================================
  Coverage   90.31%   90.32%           
=======================================
  Files          71       71           
  Lines       15708    15717    +9     
  Branches     1333     1334    +1     
=======================================
+ Hits        14187    14196    +9     
  Misses       1521     1521           

Flag	Coverage Δ
compression-0	90.32% <100.00%> (+<0.01%)	⬆️
compression-1	90.32% <100.00%> (+<0.01%)	⬆️
tls-0	89.84% <100.00%> (+<0.01%)	⬆️
tls-1	90.14% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[wellwelwel]

@sidorares, as done in #2572, I'll merge and attribute the credits manually.

Also, I've sent you some more detailed information by e-mail 🙋🏻‍♂️

[ert78gb]

Hi,

Sorry for commenting on a closed PR, but it introduced a breaking changes for me.
I use node:assert/strict library for assertion and it recognise the constructor own property of the "mysql object" as a new property. I construct the expected object as object literals, that does not contains the null prototype constructor

I created a reproduction repo https://github.com/ert78gb/mysql2-object-creation

I would like to know what is your opinion about this "breaking changes". Do you think node:assert library should change the comparison algorithm or you would like to modify the mysql2 lib.

If you would like I could open a new issue.

Thx,
Robi

[wellwelwel]

Hm... 🤔

Hi @ert78gb, I can't answer yet whether it's an unintentional breaking change for deep tests comparisons or if it can be fixed. I need to elaborate some tests.

Thanks for the basic repro, I'll start with that.