-
-
Notifications
You must be signed in to change notification settings - Fork 776
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Object properties should be created using defineProperty
#164
Comments
Seems we need to use |
I'm OK with that, personally. Do you think the symmetry with |
Seems this can't cause security issue, but it worth to be improved anyway. /cc @dervus |
Honestly, this behavior of |
Naive implementation by replacing regular assignment with defineProperty results in noticeable performance drop:
Probably we need to collect all these special keys like |
Note that |
This vulnerability still exists today (Node v13). Is nobody going to fix this? |
Using terms like "vulnerability" need proofs. Do you have those? Something more than single broken object. |
Idea: we could check first bytes of property name and use /cc @rlidwka |
Fixed in a003121 (in |
This is how
JSON.parse
works, and it allows one to bypass setters onObject.prototype
such as__proto__
. Compare:The text was updated successfully, but these errors were encountered: