OSSForks/node
1
0
Fork 0
mirror of https://github.com/zebrajr/node.git synced 2026-01-15 12:15:26 +00:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

tools: add ArrayPrototypeConcat to the list of primordials to avoid

Browse Source 
PR-URL: https://github.com/nodejs/node/pull/44445
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
This commit is contained in:
Antoine du Hamel
2022-12-17 20:15:24 +01:00
committed by GitHub
parent 929aada39d
commit ca2ec902e9
10 changed files with 52 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
lib/internal/bootstrap/node.js
View File

@@ -56,8 +56,8 @@ setupPrepareStackTrace();
const {
Array,
ArrayPrototypeConcat,
ArrayPrototypeFill,
ArrayPrototypePushApply,
FunctionPrototypeCall,
JSONParse,
Number,
@@ -174,11 +174,11 @@ const rawMethods = internalBinding('process_methods');
process.getActiveResourcesInfo = function() {
const timerCounts = internalTimers.getTimerCounts();
return ArrayPrototypeConcat(
rawMethods._getActiveRequestsInfo(),
rawMethods._getActiveHandlesInfo(),
ArrayPrototypeFill(new Array(timerCounts.timeoutCount), 'Timeout'),
ArrayPrototypeFill(new Array(timerCounts.immediateCount), 'Immediate'));
const info = rawMethods._getActiveRequestsInfo();
ArrayPrototypePushApply(info, rawMethods._getActiveHandlesInfo());
ArrayPrototypePushApply(info, ArrayPrototypeFill(new Array(timerCounts.timeoutCount), 'Timeout'));
ArrayPrototypePushApply(info, ArrayPrototypeFill(new Array(timerCounts.immediateCount), 'Immediate'));
return info;
};
// TODO(joyeecheung): remove these

7
lib/internal/debugger/inspect.js
View File

@@ -1,11 +1,11 @@
'use strict';
const {
ArrayPrototypeConcat,
ArrayPrototypeForEach,
ArrayPrototypeJoin,
ArrayPrototypeMap,
ArrayPrototypePop,
ArrayPrototypePushApply,
ArrayPrototypeShift,
ArrayPrototypeSlice,
FunctionPrototypeBind,
@@ -85,9 +85,8 @@ const debugRegex = /Debugger listening on ws:\/\/\[?(.+?)\]?:(\d+)\//;
async function runScript(script, scriptArgs, inspectHost, inspectPort,
childPrint) {
await portIsFree(inspectHost, inspectPort);
const args = ArrayPrototypeConcat(
[`--inspect-brk=${inspectPort}`, script],
scriptArgs);
const args = [`--inspect-brk=${inspectPort}`, script];
ArrayPrototypePushApply(args, scriptArgs);
const child = spawn(process.execPath, args);
child.stdout.setEncoding('utf8');
child.stderr.setEncoding('utf8');

1
lib/internal/main/print_help.js
View File

@@ -31,6 +31,7 @@ for (const key of ObjectKeys(types))
// Environment variables are parsed ad-hoc throughout the code base,
// so we gather the documentation here.
const { hasIntl, hasSmallICU, hasNodeOptions } = internalBinding('config');
// eslint-disable-next-line node-core/avoid-prototype-pollution
const envVars = new SafeMap(ArrayPrototypeConcat([
['FORCE_COLOR', { helpText: "when set to 'true', 1, 2, 3, or an empty " +
'string causes NO_COLOR and NODE_DISABLE_COLORS to be ignored.' }],

16
lib/internal/modules/cjs/loader.js
View File

@@ -23,7 +23,6 @@
const {
ArrayIsArray,
ArrayPrototypeConcat,
ArrayPrototypeFilter,
ArrayPrototypeIncludes,
ArrayPrototypeIndexOf,
@@ -668,7 +667,13 @@ Module._findPath = function(request, paths, isMain) {
Module._pathCache[cacheKey] = filename;
return filename;
}
reportModuleNotFoundToWatchMode(basePath, ArrayPrototypeConcat([''], exts));
if (exts === undefined) {
exts = [''];
} else {
ArrayPrototypeUnshift(exts, '');
}
reportModuleNotFoundToWatchMode(basePath, exts);
}
return false;
@@ -782,9 +787,12 @@ Module._resolveLookupPaths = function(request, parent) {
StringPrototypeCharAt(request, 1) !== '/' &&
(!isWindows || StringPrototypeCharAt(request, 1) !== '\\'))) {
let paths = modulePaths;
let paths;
if (parent?.paths?.length) {
paths = ArrayPrototypeConcat(parent.paths, paths);
paths = ArrayPrototypeSlice(modulePaths);
ArrayPrototypeUnshiftApply(paths, parent.paths);
} else {
paths = modulePaths;
}
debug('looking for %j in %j', request, paths);

12
lib/internal/modules/esm/resolve.js
View File

@@ -2,8 +2,8 @@
const {
ArrayIsArray,
ArrayPrototypeConcat,
ArrayPrototypeJoin,
ArrayPrototypePush,
ArrayPrototypeShift,
JSONStringify,
ObjectGetOwnPropertyNames,
@@ -957,11 +957,11 @@ function throwIfUnsupportedURLScheme(parsed, experimentalNetworkImports) {
)
)
) {
throw new ERR_UNSUPPORTED_ESM_URL_SCHEME(parsed, ArrayPrototypeConcat(
'file',
'data',
experimentalNetworkImports ? ['https', 'http'] : [],
));
const schemes = ['file', 'data'];
if (experimentalNetworkImports) {
ArrayPrototypePush(schemes, 'https', 'http');
}
throw new ERR_UNSUPPORTED_ESM_URL_SCHEME(parsed, schemes);
}
}

6
lib/internal/perf/observe.js
View File

@@ -9,7 +9,6 @@ const {
ArrayPrototypePushApply,
ArrayPrototypeSlice,
ArrayPrototypeSort,
ArrayPrototypeConcat,
Error,
MathMax,
MathMin,
@@ -513,7 +512,10 @@ function filterBufferMapByNameAndType(name, type) {
// Unrecognized type;
return [];
} else {
bufferList = ArrayPrototypeConcat(markEntryBuffer, measureEntryBuffer, resourceTimingBuffer);
bufferList = [];
ArrayPrototypePushApply(bufferList, markEntryBuffer);
ArrayPrototypePushApply(bufferList, measureEntryBuffer);
ArrayPrototypePushApply(bufferList, resourceTimingBuffer);
}
if (name !== undefined) {
bufferList = ArrayPrototypeFilter(bufferList, (buffer) => buffer.name === name);

9
lib/internal/util/inspector.js
View File

@@ -1,8 +1,8 @@
'use strict';
const {
ArrayPrototypeConcat,
ArrayPrototypeSome,
ArrayPrototypePushApply,
FunctionPrototypeBind,
ObjectDefineProperty,
ObjectKeys,
@@ -69,10 +69,9 @@ function installConsoleExtensions(commandLineApi) {
const { makeRequireFunction } = require('internal/modules/helpers');
const consoleAPIModule = new CJSModule('<inspector console>');
const cwd = tryGetCwd();
consoleAPIModule.paths = ArrayPrototypeConcat(
CJSModule._nodeModulePaths(cwd),
CJSModule.globalPaths
);
consoleAPIModule.paths = [];
ArrayPrototypePushApply(consoleAPIModule.paths, CJSModule._nodeModulePaths(cwd));
ArrayPrototypePushApply(consoleAPIModule.paths, CJSModule.globalPaths);
commandLineApi.require = makeRequireFunction(consoleAPIModule);
}

6
lib/repl.js
View File

@@ -43,7 +43,6 @@
'use strict';
const {
ArrayPrototypeConcat,
ArrayPrototypeFilter,
ArrayPrototypeFindIndex,
ArrayPrototypeForEach,
@@ -52,6 +51,7 @@ const {
ArrayPrototypeMap,
ArrayPrototypePop,
ArrayPrototypePush,
ArrayPrototypePushApply,
ArrayPrototypeReverse,
ArrayPrototypeShift,
ArrayPrototypeSlice,
@@ -1332,7 +1332,9 @@ function complete(line, callback) {
} else if (RegExpPrototypeExec(/^\.\.?\//, completeOn) !== null) {
paths = [process.cwd()];
} else {
paths = ArrayPrototypeConcat(module.paths, CJSModule.globalPaths);
paths = [];
ArrayPrototypePushApply(paths, module.paths);
ArrayPrototypePushApply(paths, CJSModule.globalPaths);
}
ArrayPrototypeForEach(paths, (dir) => {

4
test/parallel/test-eslint-avoid-prototype-pollution.js
View File

@@ -295,5 +295,9 @@ new RuleTester({
code: 'PromiseRace([])',
errors: [{ message: /\bSafePromiseRace\b/ }]
},
{
code: 'ArrayPrototypeConcat([])',
errors: [{ message: /\bisConcatSpreadable\b/ }]
},
]
});

8
tools/eslint-rules/avoid-prototype-pollution.js
View File

@@ -224,6 +224,14 @@ module.exports = {
message: `Use Safe${node.callee.name} instead of ${node.callee.name}`,
});
},
[CallExpression('ArrayPrototypeConcat')](node) {
context.report({
node,
message: '%Array.prototype.concat% looks up `@@isConcatSpreadable` ' +
'which can be subject to prototype pollution',
});
},
};
},
};