Remove Object.prototype.__proto__ (#4341)

denoland · Mar 15, 2020 · 2f4be6e · 2f4be6e
1 parent 64a35ac
commit 2f4be6e
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 0 deletions.
diff --git a/cli/js/compiler.ts b/cli/js/compiler.ts
@@ -400,6 +400,12 @@ function bootstrapWasmCompilerRuntime(): void {
   globalThis.onmessage = wasmCompilerOnMessage;
 }
 
+// Removes the `__proto__` for security reasons.  This intentionally makes
+// Deno non compliant with ECMA-262 Annex B.2.2.1
+//
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+delete (Object.prototype as any).__proto__;
+
 Object.defineProperties(globalThis, {
   bootstrapWasmCompilerRuntime: {
     value: bootstrapWasmCompilerRuntime,

diff --git a/cli/js/main.ts b/cli/js/main.ts
@@ -2,6 +2,12 @@
 import { bootstrapMainRuntime } from "./runtime_main.ts";
 import { bootstrapWorkerRuntime } from "./runtime_worker.ts";
 
+// Removes the `__proto__` for security reasons.  This intentionally makes
+// Deno non compliant with ECMA-262 Annex B.2.2.1
+//
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+delete (Object.prototype as any).__proto__;
+
 Object.defineProperties(globalThis, {
   bootstrapMainRuntime: {
     value: bootstrapMainRuntime,

diff --git a/cli/tests/integration_tests.rs b/cli/tests/integration_tests.rs
@@ -1426,6 +1426,11 @@ itest!(fix_js_imports {
   output: "fix_js_imports.ts.out",
 });
 
+itest!(proto_exploit {
+  args: "run proto_exploit.js",
+  output: "proto_exploit.js.out",
+});
+
 #[test]
 fn cafile_fetch() {
   use deno::http_cache::url_to_filename;

diff --git a/cli/tests/proto_exploit.js b/cli/tests/proto_exploit.js
@@ -0,0 +1,5 @@
+const payload = `{ "__proto__": null }`;
+const obj = {};
+console.log("Before: " + obj);
+Object.assign(obj, JSON.parse(payload));
+console.log("After: " + obj);
diff --git a/cli/tests/proto_exploit.js.out b/cli/tests/proto_exploit.js.out
@@ -0,0 +1,2 @@
+Before: [object Object]
+After: [object Object]