Skip to content

[v16.x backport] tools: add avoid-prototype-pollution lint rule #44081

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

[v16.x backport] tools: add avoid-prototype-pollution lint rule #44081

wants to merge 4 commits into from

Conversation

aduh95
Copy link
Contributor

@aduh95 aduh95 commented Aug 1, 2022

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/crypto
  • @nodejs/http
  • @nodejs/http2
  • @nodejs/modules
  • @nodejs/net
  • @nodejs/startup
  • @nodejs/tsc

@aduh95 aduh95 requested a review from targos August 1, 2022 08:55
@nodejs-github-bot nodejs-github-bot added lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. v16.x labels Aug 1, 2022
@targos targos added the request-ci Add this label to start a Jenkins CI on a PR. label Aug 1, 2022
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Aug 1, 2022
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/45769/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/45772/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/45775/

aduh95 added 4 commits August 1, 2022 23:35
@aduh95
tools: add avoid-prototype-pollution lint rule
0f489bc 
PR-URL: nodejs#43308
Reviewed-By: Rich Trott <rtrott@gmail.com>
@aduh95
tools: report unsafe string and regex primordials as lint errors
e0b41a5 
| The string method             | looks up the property |
| ----------------------------- | --------------------- |
| `String.prototype.match`      | `Symbol.match`        |
| `String.prototype.matchAll`   | `Symbol.matchAll`     |
| `String.prototype.replace`    | `Symbol.replace`      |
| `String.prototype.replaceAll` | `Symbol.replace`      |
| `String.prototype.search`     | `Symbol.search`       |
| `String.prototype.split`      | `Symbol.split`        |

Functions that lookup the `exec` property on the prototype chain:

* `RegExp.prototype[Symbol.match]`
* `RegExp.prototype[Symbol.matchAll]`
* `RegExp.prototype[Symbol.replace]`
* `RegExp.prototype[Symbol.search]`
* `RegExp.prototype[Symbol.split]`
* `RegExp.prototype.test`

`RegExp.prototype[Symbol.replace]` and `RegExp.prototype[Symbol.split]`
are still allowed for a lack of a better solution.

PR-URL: nodejs#43393
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
@aduh95
tools,doc: add guards against prototype pollution when creating proxies
4327ff8 
PR-URL: nodejs#43391
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: LiviaMedeiros <livia@cirno.name>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
@aduh95
lib: refactor to avoid unsafe regex primordials
9994a1b 
PR-URL: nodejs#43475
Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
@aduh95 aduh95 force-pushed the backport-linter-rule-prs branch from 642d699 to 9994a1b Compare August 1, 2022 21:35
@aduh95 aduh95 added the request-ci Add this label to start a Jenkins CI on a PR. label Aug 1, 2022
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Aug 1, 2022
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/45781/

@github-actions github-actions bot mentioned this pull request Aug 2, 2022
Open
11 tasks
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/45788/

@targos
Copy link
Member

targos commented Aug 2, 2022

Landed in 0046b9a...a8c2418

@targos targos closed this Aug 2, 2022
targos pushed a commit that referenced this pull request Aug 2, 2022
@aduh95 @targos
tools: add avoid-prototype-pollution lint rule
1d09407 
PR-URL: #43308
Backport-PR-URL: #44081
Reviewed-By: Rich Trott <rtrott@gmail.com>
targos pushed a commit that referenced this pull request Aug 2, 2022
@aduh95 @targos
tools: report unsafe string and regex primordials as lint errors
3e33e90 
| The string method             | looks up the property |
| ----------------------------- | --------------------- |
| `String.prototype.match`      | `Symbol.match`        |
| `String.prototype.matchAll`   | `Symbol.matchAll`     |
| `String.prototype.replace`    | `Symbol.replace`      |
| `String.prototype.replaceAll` | `Symbol.replace`      |
| `String.prototype.search`     | `Symbol.search`       |
| `String.prototype.split`      | `Symbol.split`        |

Functions that lookup the `exec` property on the prototype chain:

* `RegExp.prototype[Symbol.match]`
* `RegExp.prototype[Symbol.matchAll]`
* `RegExp.prototype[Symbol.replace]`
* `RegExp.prototype[Symbol.search]`
* `RegExp.prototype[Symbol.split]`
* `RegExp.prototype.test`

`RegExp.prototype[Symbol.replace]` and `RegExp.prototype[Symbol.split]`
are still allowed for a lack of a better solution.

PR-URL: #43393
Backport-PR-URL: #44081
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
targos pushed a commit that referenced this pull request Aug 2, 2022
@aduh95 @targos
tools,doc: add guards against prototype pollution when creating proxies
b9ec3b4 
PR-URL: #43391
Backport-PR-URL: #44081
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: LiviaMedeiros <livia@cirno.name>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
targos pushed a commit that referenced this pull request Aug 2, 2022
@aduh95 @targos
lib: refactor to avoid unsafe regex primordials
a8c2418 
PR-URL: #43475
Backport-PR-URL: #44081
Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
@aduh95 aduh95 deleted the backport-linter-rule-prs branch August 2, 2022 08:03
This was referenced Aug 3, 2022
Open
Open
Open
@aduh95 aduh95 mentioned this pull request Oct 8, 2022
Closed
guangwong pushed a commit to noslate-project/node that referenced this pull request Oct 10, 2022
@aduh95 @guangwong
tools: add avoid-prototype-pollution lint rule
e404223 
PR-URL: nodejs/node#43308
Backport-PR-URL: nodejs/node#44081
Reviewed-By: Rich Trott <rtrott@gmail.com>
guangwong pushed a commit to noslate-project/node that referenced this pull request Oct 10, 2022
@aduh95 @guangwong
tools: report unsafe string and regex primordials as lint errors
549bdb2 
| The string method             | looks up the property |
| ----------------------------- | --------------------- |
| `String.prototype.match`      | `Symbol.match`        |
| `String.prototype.matchAll`   | `Symbol.matchAll`     |
| `String.prototype.replace`    | `Symbol.replace`      |
| `String.prototype.replaceAll` | `Symbol.replace`      |
| `String.prototype.search`     | `Symbol.search`       |
| `String.prototype.split`      | `Symbol.split`        |

Functions that lookup the `exec` property on the prototype chain:

* `RegExp.prototype[Symbol.match]`
* `RegExp.prototype[Symbol.matchAll]`
* `RegExp.prototype[Symbol.replace]`
* `RegExp.prototype[Symbol.search]`
* `RegExp.prototype[Symbol.split]`
* `RegExp.prototype.test`

`RegExp.prototype[Symbol.replace]` and `RegExp.prototype[Symbol.split]`
are still allowed for a lack of a better solution.

PR-URL: nodejs/node#43393
Backport-PR-URL: nodejs/node#44081
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
guangwong pushed a commit to noslate-project/node that referenced this pull request Oct 10, 2022
@aduh95 @guangwong
tools,doc: add guards against prototype pollution when creating proxies
10e7b9a 
PR-URL: nodejs/node#43391
Backport-PR-URL: nodejs/node#44081
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: LiviaMedeiros <livia@cirno.name>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
guangwong pushed a commit to noslate-project/node that referenced this pull request Oct 10, 2022
@aduh95 @guangwong
lib: refactor to avoid unsafe regex primordials
d0610ac 
PR-URL: nodejs/node#43475
Backport-PR-URL: nodejs/node#44081
Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@targos targos targos approved these changes

@RafaelGSS RafaelGSS RafaelGSS approved these changes

Assignees
No one assigned
Labels
lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@aduh95 @nodejs-github-bot @targos @RafaelGSS