jiangcuo/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2025-05-02 03:31:35 +00:00
Code Issues Actions 26 Packages Projects Releases Wiki Activity
36,421 Commits 67 Branches 878 Tags 2.1 GiB
358008f473
Commit Graph

3 Commits

Author SHA1 Message Date
Antoine du Hamel
358008f473
tools,doc: add guards against prototype pollution when creating proxies 
PR-URL: https://github.com/nodejs/node/pull/43391
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: LiviaMedeiros <livia@cirno.name>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
 2022-06-16 00:26:48 +02:00
Antoine du Hamel
9119382555
tools: report unsafe string and regex primordials as lint errors 
| The string method             | looks up the property |
| ----------------------------- | --------------------- |
| `String.prototype.match`      | `Symbol.match`        |
| `String.prototype.matchAll`   | `Symbol.matchAll`     |
| `String.prototype.replace`    | `Symbol.replace`      |
| `String.prototype.replaceAll` | `Symbol.replace`      |
| `String.prototype.search`     | `Symbol.search`       |
| `String.prototype.split`      | `Symbol.split`        |

Functions that lookup the `exec` property on the prototype chain:

* `RegExp.prototype[Symbol.match]`
* `RegExp.prototype[Symbol.matchAll]`
* `RegExp.prototype[Symbol.replace]`
* `RegExp.prototype[Symbol.search]`
* `RegExp.prototype[Symbol.split]`
* `RegExp.prototype.test`

`RegExp.prototype[Symbol.replace]` and `RegExp.prototype[Symbol.split]`
are still allowed for a lack of a better solution.

PR-URL: https://github.com/nodejs/node/pull/43393
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
 2022-06-16 00:21:57 +02:00
Antoine du Hamel
93728c60d2
tools: add avoid-prototype-pollution lint rule 
PR-URL: https://github.com/nodejs/node/pull/43308
Reviewed-By: Rich Trott <rtrott@gmail.com>
 2022-06-11 14:45:31 +01:00