Comments (5)
evanplaice
commented on July 22, 2024
1
Well, this lib doesn't suffer from any security vulnerabilities but some deeply nested dependencies did. The reason the bot patch didn't fix it was due to one specific deeply nested dependency of ESLint. I almost had to patch ESLint to fix it but fortunately the dep with the issue published a fix.
Gonna close this for now unless you can think of an other potential security vulnerability vectors.
from absurdum.
jkvyff
commented on July 22, 2024
Yep, we do have that structure. Though, it would appear to be less damaging as both objects are being merged onto a new object so it couldn't effect the input objects upstream. I will test what is possible this Friday.
from absurdum.
jkvyff
commented on July 22, 2024
After a review, it would seem we are secure. Because when we set properties using previous objects, we have used Object.keys to grab any property names. and we never grab the redefined proto property to set on the new object.
We would have to be careful of this depending on the implementation of functions using inherited properties to create new objects, but unless I missed something, the current implementation should not have this issue.
We effectively use the prevention of using an object with the default prototype and not copying or characteristics of the source objects prototypes.
from absurdum.
jkvyff
commented on July 22, 2024
Also just made this to visualize part of the problem
const obj1 = { left: 22 };
const func1 = () => 'Howdy';
Object.defineProperty(obj1, 'toString', {
value: func1,
enumerable: true
});
const obj2 = { __proto__: obj1, up: 57 }; /// Don't allow __proto__ to be merged to new object
// ***Possible Issue To avoid***
console.log(Object.prototype.toString())
// [object Object]
console.log(obj2.toString())
// 'Howdy'
// ***Property key we use***
console.log(Object.keys(obj1))
// [ 'left', 'toString' ]
console.log([...Object.keys(obj2), ...Object.getOwnPropertyNames(Object.getPrototypeOf(obj2))])
// ***All Defined***
// [ 'up', 'left', 'toString' ]
console.log([...Object.keys(obj2), ...Object.keys(obj1), ...Object.getOwnPropertyNames(Object.getPrototypeOf(obj1))])
// ***All runnable***
/* [ 'up', 'left', 'toString',
'constructor',
'__defineGetter__',
'__defineSetter__',
'hasOwnProperty',
'__lookupGetter__',
'__lookupSetter__',
'isPrototypeOf',
'propertyIsEnumerable',
'toString',
'valueOf',
'__proto__',
'toLocaleString' ]
*/from absurdum.
evanplaice
commented on July 22, 2024
I was thinking of something more like this. Although, it doesn't mutate the proto.
If objects.merge worked recursively to merge both own properties and proto properties, that would be a concern. _.set was another operator mentioned in the report but we decided to skip that one pre-1.0 b/c using reduce to set one value isn't very efficient.
On second thought, none of our operators mutate the input. Isn't that kind of the point?
Assuming there is some leak that we haven't considered, we could always add an input check to verify that none of the inputs are the Object prototype
if (input.isPrototypeOf(Object)) { throw Error('The Object prototype is not a valid input'); }from absurdum.
Related Issues (20)
- strings.pascalCase HOT 1
- strings.snakeCase HOT 1
- strings.template HOT 1
- strings.truncate HOT 2
- strings.words HOT 1
- The Chopping Block for 1.0
- Re-order README.md HOT 1
- How should we handle Words breakdown? HOT 1
- objects.entries HOT 1
- Replace objects.include/exclude -> objects.filter? HOT 3
- Change operators with Object.entries to use Object.keys to improve cross browser compatibility HOT 1
- IE Compatibility HOT 2
- objects.filter HOT 2
- arrays.filter HOT 1
- arrays.map HOT 1
- Pre 1.0 Release Leftovers HOT 11
- Should Absurdum have a Logo? HOT 6
- Add mutability test to all methods without HOT 1
- New Entry Points HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from absurdum.