Closed TMaszko closed 1 year ago
Yes, this is a security fix due to #664 (and half a dozen other issues opened in this repo, this is just one example). I would've preferred to do it in a backwards compatible way but couldn't whitelist all kinds of possible "valid" names.
Can't we just blacklist the __proto__
name?
People can still add attributes like hasOwnProperty
and then the code that uses the object fails.
You're right it's much more complex issue than I initially thought
@Leonidas-from-XIV How about setting the prototype after parsing is done ? We're going to create an object using Object.create(null)
but after parsing we could set its prototype with Object.setPrototypeOf(parsedObject, Object.prototype)
Wdyt?
Hmm, I haven't though of it too much but I believe that it could work! Though you have to recurse through all the created objects.
Could you make a PR? It would be good to give this a bit more thought and test the original report against this solution.
Sure thing! I'll prepare a PR soon ;)
Objects since
0.5.0
are created usingObject.create(null)
which results in the hard to track bugs when code that is using this parsed object wants to use it as normal JS object i.e usinghasOwnProperty
results with error ("hasOwnProperty" is not a function
) like herehttps://github.com/expo/expo/issues/22083?fbclid=IwAR3Rv6gP0gB2nrn1eHpq6E-Sd9jotjwn_HEyw4vD6XW4GZAaqym4B60Vp9k