node: warn for Object.prototype.__* accessors common in security warnings #39824
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,10 +3,13 @@ | |
| const { | ||
| NumberParseInt, | ||
| ObjectDefineProperty, | ||
| ObjectGetOwnPropertyDescriptor, | ||
| ObjectGetPrototypeOf, | ||
| SafeMap, | ||
| SafeWeakMap, | ||
| StringPrototypeStartsWith, | ||
| globalThis, | ||
| uncurryThis, | ||
| } = primordials; | ||
|
|
||
| const { | ||
|
|
@@ -332,6 +335,61 @@ function initializeDeprecations() { | |
| enumerable: false, | ||
| configurable: true | ||
| }); | ||
|
|
||
| let warnedForProto = false; | ||
| const ObjectPrototype = ObjectGetPrototypeOf({}); | ||
| function warnOnProto() { | ||
| if (!warnedForProto) { | ||
| warnedForProto = true; | ||
| process.emitWarning('usage of Object.prototype.__* properties are a' + | ||
|
bmeck marked this conversation as resolved.
Outdated
|
||
| ' common security concern, use static methods on Object instead'); | ||
| } | ||
|
Member
There was a problem hiding this comment. Perhaps we should make these proper runtime deprecations?
Member
Author
There was a problem hiding this comment. I'm not opposed, is it just adding to the docs a new number to get the DEP###?
Member
Author
There was a problem hiding this comment. added to DEP doc, idk if there is a process to do instead
Member
There was a problem hiding this comment. Look for other DEP codes in the code and you'll see how those are emitted :-)
Member
There was a problem hiding this comment. Example: Lines 28 to 29 in e46c680 As soon as this is changed to emit a deprecation warning, I'll launch a CITGM run with
Member
Author
There was a problem hiding this comment. this seems difficult to wrangle without giving a unique DEP id to each accessor given the other feedback of giving more actionable feedback in #39824 (comment) |
||
| } | ||
| const legacy = [ | ||
| '__proto__', | ||
|
bmeck marked this conversation as resolved.
Outdated
|
||
| '__defineGetter__', | ||
| '__defineSetter__', | ||
| '__lookupGetter__', | ||
| '__lookupSetter__', | ||
| ]; | ||
| for (let i = 0; i < legacy.length; i++) { | ||
| const prop = legacy[i]; | ||
| const protoDescriptor = ObjectGetOwnPropertyDescriptor( | ||
| ObjectPrototype, | ||
| prop); | ||
| if ('value' in protoDescriptor) { | ||
|
bmeck marked this conversation as resolved.
Outdated
|
||
| let value = protoDescriptor.value; | ||
| const writable = protoDescriptor.writable; | ||
| ObjectDefineProperty(ObjectPrototype, legacy[i], { | ||
| get() { | ||
| warnOnProto(); | ||
| return value; | ||
| }, | ||
| set(v) { | ||
| warnOnProto(); | ||
| if (!writable) return; | ||
| value = v; | ||
| }, | ||
| enumerable: false, | ||
| configurable: true | ||
| }); | ||
| } else { | ||
| const getter = uncurryThis(protoDescriptor.get); | ||
| const setter = uncurryThis(protoDescriptor.set); | ||
| ObjectDefineProperty(ObjectPrototype, legacy[i], { | ||
| get() { | ||
| warnOnProto(); | ||
| return getter(this); | ||
| }, | ||
| set(value) { | ||
| warnOnProto(); | ||
| setter(this, value); | ||
| }, | ||
| enumerable: false, | ||
| configurable: true | ||
| }); | ||
| } | ||
| } | ||
| } | ||
|
|
||
| function setupChildProcessIpcChannel() { | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| 'use strict'; | ||
|
|
||
| const common = require('../common'); | ||
|
|
||
| process.on('warning', common.mustCall()); | ||
|
Member
There was a problem hiding this comment. There is a
Member
Author
There was a problem hiding this comment. done, but it seems |
||
|
|
||
| const obj = {}; | ||
| // eslint-disable-next-line | ||
| const _ = obj.__proto__; | ||
| // eslint-disable-next-line | ||
| obj.__proto__ = null; | ||
Uh oh!
There was an error while loading. Please reload this page.