Preventing prototype pollution vulnerabilities #2115
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gingerbenw
reviewed
Apr 8, 2024
|
was the vulnerability just for the clear method? should we add it to the |
|
Yes, it was only for |
AnastasiiaSvietlova
requested review from
gingerbenw
and removed request for
gingerbenw
gingerbenw
approved these changes
Apr 12, 2024
CHANGELOG.md
Outdated
Comment on lines
7
to
9
| - (metadata-delegate) Preventing prototype pollution vulnerabilities [#2115](https://github.com/bugsnag/bugsnag-js/pull/2115) | ||
|
|
||
| - (plugin-interaction-breadcrumbs) Improved performance of click event breadcrumbs [#2094](https://github.com/bugsnag/bugsnag-js/pull/2094) |
There was a problem hiding this comment.
Just a bit of formatting:
Suggested change
| - (metadata-delegate) Preventing prototype pollution vulnerabilities [#2115](https://github.com/bugsnag/bugsnag-js/pull/2115) | |
| - (plugin-interaction-breadcrumbs) Improved performance of click event breadcrumbs [#2094](https://github.com/bugsnag/bugsnag-js/pull/2094) | |
| - (plugin-interaction-breadcrumbs) Improved performance of click event breadcrumbs [#2094](https://github.com/bugsnag/bugsnag-js/pull/2094) | |
| - (metadata-delegate) Preventing prototype pollution vulnerabilities [#2115](https://github.com/bugsnag/bugsnag-js/pull/2115) |
| key: 'prototype', | ||
| expected: {} | ||
| } | ||
| ])('should not add constructor or prototype keys', ({ key, expected }) => { |
There was a problem hiding this comment.
You can use $key here (or any key in objects provided to .each) to output the following at runtime:
should not add constructor keys
should not add prototype keys
Suggested change
| ])('should not add constructor or prototype keys', ({ key, expected }) => { | |
| ])('should not add $key keys', ({ key, expected }) => { |
| } | ||
| } | ||
| } | ||
| ])('should not overwrite constructor or prototype keys', ({ key, state, expected }) => { |
There was a problem hiding this comment.
Suggested change
| ])('should not overwrite constructor or prototype keys', ({ key, state, expected }) => { | |
| ])('should not overwrite $key keys', ({ key, state, expected }) => { |
AnastasiiaSvietlova
deleted the
PLAT-11324-prototype-polluting-assignment
branch
Merged
This was referenced Sep 24, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Goal
Preventing the
__proto__,constructororprototypeproperty from being used as a section inclearandaddmethods of metadata-delegate.jsChangeset
Added condition if
__proto__ || constructor || prototypetries to pass as a section in theclearoraddmethod, it will not be executed.Testing
Created unit tests for checking 'constructor' and 'prototype'.
it doesn't seem easy to check whether proto keys can be overwritten