erights
commented
5 years ago This is an interesting case, in that JavaScript is in this regard already not a superset of JSON. They both accept the syntax, but, as you point out, with conflicting semantics. Since Jessie is supposed to be a subset of JavaScript and a superset of JSON, this is a good enough excuse for banning it.
Jessie purposely omits the elements of JavaScript for talking about inheritance: new, Object.create and most reflective operations, this, class. A standalone Jessie implementation should not need to support general inheritance. A correct Jessie program must not assume either the existence or non-existence of the rest of the SES runtime; it must run correctly when run as a SES program interacting with other SES objects, and when run on a conforming standalone Jessie implementation. The Object.prototype.__proto__ accessor property is one of these elements of the SES runtime which is absent from the Jessie whitelist.
All these considerations support your proposal. I agree. Jessie should statically prohibit syntax naming __proto__ as a property name, whether with or without quotes, and whether in an object literal or after a dot.
Thanks!
dckc
Hi,
Standard
JSON.parseprevents people from injecting__proto__into the parsed objects, which are all derived fromObject. Instead an "own property" called__proto__is created. However, this is still relatively dangerous, as code higher up the chain which is not also explicitly defending against__proto__injections may inadvertantly override the prototype chain with an attacker's input.I would like to propose that creating
__proto__members is rejected in Jessie. To my understanding, Jessie already rejects mutable properties, so code can't later setobj.__proto__ = {}. However, I would also like to see the attempt to create the following Jessie object produce an error:Silently creating an "own property" is quite scary, and IMO should be rejected even if it makes Jessie not entirely a static superset of JSON.
Thoughts? Michael.