Adam Majer
ad2d70f251
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs10?expand=0&rev=172
57 lines
2.4 KiB
Diff
57 lines
2.4 KiB
Diff
commit be69403528da99bf3df9e1dc47186f18ba59cb5e
|
|
Author: Tobias Nießen <tniessen@tnie.de>
|
|
Date: Tue Dec 21 18:03:15 2021 +0000
|
|
|
|
console: fix prototype pollution via console.table
|
|
|
|
CVE-ID: CVE-2022-21824
|
|
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/308
|
|
PR-URL: https://github.com/nodejs-private/node-private/pull/307
|
|
Refs: https://hackerone.com/reports/1431042
|
|
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
|
|
Reviewed-By: Rich Trott <rtrott@gmail.com>
|
|
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
|
|
Reviewed-By: Michaël Zasso <targos@protonmail.com>
|
|
Reviewed-By: Richard Lau <rlau@redhat.com>
|
|
Reviewed-By: Michael Dawson <midawson@redhat.com>
|
|
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
|
|
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
|
|
|
|
Index: node-v10.24.1/test/parallel/test-console-table.js
|
|
===================================================================
|
|
--- node-v10.24.1.orig/test/parallel/test-console-table.js
|
|
+++ node-v10.24.1/test/parallel/test-console-table.js
|
|
@@ -244,3 +244,18 @@ test([{ a: 1, b: 'Y' }, { a: 'Z', b: 2 }
|
|
│ 1 │ 'Z' │ 2 │
|
|
└─────────┴─────┴─────┘
|
|
`);
|
|
+
|
|
+// Regression test for prototype pollution via console.table. Earlier versions
|
|
+// of Node.js created an object with a non-null prototype within console.table
|
|
+// and then wrote to object[column][index], which lead to an error as well as
|
|
+// modifications to Object.prototype.
|
|
+test([{ foo: 10 }, { foo: 20 }], ['__proto__'], `
|
|
+┌─────────┬───────────┐
|
|
+│ (index) │ __proto__ │
|
|
+├─────────┼───────────┤
|
|
+│ 0 │ │
|
|
+│ 1 │ │
|
|
+└─────────┴───────────┘
|
|
+`);
|
|
+assert.strictEqual('0' in Object.prototype, false);
|
|
+assert.strictEqual('1' in Object.prototype, false);
|
|
Index: node-v10.24.1/lib/console.js
|
|
===================================================================
|
|
--- node-v10.24.1.orig/lib/console.js
|
|
+++ node-v10.24.1/lib/console.js
|
|
@@ -425,7 +425,7 @@ Console.prototype.table = function(tabul
|
|
]);
|
|
}
|
|
|
|
- const map = {};
|
|
+ const map = Object.create(null);
|
|
let hasPrimitives = false;
|
|
const valuesKeyArray = [];
|
|
const indexKeyArray = ObjectKeys(tabularData);
|