Skip to content

fix(merge): Avoid protototype pollution when parsing properties#8675

Merged
paul-marechal merged 1 commit intomasterfrom
prototype-pollution
Oct 29, 2020
Merged

fix(merge): Avoid protototype pollution when parsing properties#8675
paul-marechal merged 1 commit intomasterfrom
prototype-pollution

Conversation

@benoitf
Copy link
Contributor

@benoitf benoitf commented Oct 28, 2020

What it does

Avoid prototype pollution

How to test

Tests should pass
But you can try using configuration of plug-ins on workspace level and user level and see that merge correctly happen

Review checklist

Reminder for reviewers

@benoitf benoitf force-pushed the prototype-pollution branch from c34a31e to 1ed8fb6 Compare October 28, 2020 10:04
@benoitf benoitf added the plug-in system issues related to the plug-in system label Oct 28, 2020
paul-marechal
paul-marechal reviewed Oct 28, 2020
View reviewed changes
paul-marechal
paul-marechal reviewed Oct 28, 2020
View reviewed changes
@benoitf benoitf force-pushed the prototype-pollution branch from 1ed8fb6 to 593a7a9 Compare October 28, 2020 17:22
paul-marechal
paul-marechal approved these changes Oct 28, 2020
View reviewed changes
Copy link
Member

@paul-marechal paul-marechal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the fix!

@paul-marechal paul-marechal force-pushed the prototype-pollution branch 2 times, most recently from 122fafd to 8cccac3 Compare October 28, 2020 18:15
@max-schaefer
Copy link

max-schaefer commented Oct 29, 2020

Does this also guard against prototype pollution via .constructor.prototype, or is that not possible in this context? (Note that {}.constructor.prototype === Object.prototype.)

@benoitf
Copy link
Contributor Author

benoitf commented Oct 29, 2020

I updated test case with constructor (it seems it's only affecting parseConfigurationData method)
@marechal-p if you can review again (I pushed a new commit)

@paul-marechal
Copy link
Member

paul-marechal commented Oct 29, 2020
edited
Loading

There was an unescaped . in the regexp. I pushed the fix for this and also used Object.create(null) where it made sense. I don't see anything else, feel free to squash and merge.

@benoitf
fix(merge): Avoid protototype pollution when parsing properties
986c222 
Change-Id: I30ac10c9afce8a6fe01e197e18071e33f0e0bda7
Signed-off-by: Florent Benoit <fbenoit@redhat.com>
@benoitf benoitf force-pushed the prototype-pollution branch from 525f4d9 to 986c222 Compare October 29, 2020 16:39
@benoitf
Copy link
Contributor Author

benoitf commented Oct 29, 2020

@marechal-p would be nice to have it in the upcoming release

@paul-marechal paul-marechal merged commit a781485 into master Oct 29, 2020
@paul-marechal paul-marechal deleted the prototype-pollution branch October 29, 2020 18:26
@github-actions github-actions bot added this to the 1.7.0 milestone Oct 29, 2020
@paul-marechal
Copy link
Member

paul-marechal commented Oct 29, 2020

@benoitf it will since it looks like a complete fix now :)

@paul-marechal
Copy link
Member

paul-marechal commented Oct 29, 2020
edited
Loading

@max-schaefer please tell us if you still see something, we can do a patch release in the worst case.

We'll now proceed with the 1.7.0 release.

@max-schaefer
Copy link

max-schaefer commented Oct 29, 2020

LGTM

it seems it's only affecting parseConfigurationData method

Yes, that sounds plausible. The other method has an isObject check, which will prevent the .constructor.prototype vector, since .constructor is a function.

@tortmayr tortmayr mentioned this pull request Mar 5, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@paul-marechal paul-marechal paul-marechal approved these changes

@akosyakov akosyakov Awaiting requested review from akosyakov

@marcdumais-work marcdumais-work Awaiting requested review from marcdumais-work

@svenefftinge svenefftinge Awaiting requested review from svenefftinge

Assignees

No one assigned

Labels

plug-in system issues related to the plug-in system

Projects

None yet

Milestone

1.7.0

Development

Successfully merging this pull request may close these issues.

3 participants

@benoitf @max-schaefer @paul-marechal