Packages mislabeled as arbitrary code execution

[icemonster]

There are 11 packages that seem to me that are mislabeled.

You can collect them by doing grep -r "expect({}.polluted).toBe(undefined);" on the code-injection folder.

Instead of arbitrary code execution, the POCs are testing whether a prototype pollution was successful.

[ericcornelissen]

I don't think they're all necessarily mislabeled, instead they're testing for the wrong thing (after all, in general if you have ACE you can also do prototype pollution) - as you suggest too.

Take for example the PoC for js-yaml, if you change the payload to

-    "{ toString: !<tag:yaml.org,2002:js/function> 'function (){return (this.constructor.prototype.polluted=`yes`)}' } : 1";
+    "{ toString: !<tag:yaml.org,2002:js/function> 'function (){return (console.log(\"yes\"))}' } : 1";

and run it you will see "yes" printed to your terminal.