Closed isdampe closed 3 weeks ago
@wellwelwel maybe freeze Object.prototype instead of inheriting from null?
https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html https://portswigger.net/web-security/prototype-pollution/preventing
@isdampe the "correct" way of calling hasOwnProperty
should account for a possible null-prototype https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/hasOwnProperty#objects_created_with_object.createnull but you are right, this should not be introduced in a minor version change
We either need to fix this error somehow in 3.x or bump major version ( and fix in 3.x )
I don't think we'll need a major version bump for this, but I'll perform some tests and check again to be sure.
Progress:
Related: https://github.com/sidorares/node-mysql2/pull/2574#issuecomment-2047118083
Note to self
Including a safe recommendation from MDN for this in docs (especially in case of a major bump version):
const obj = Object.create(null); obj.test = true; Object.hasOwn(obj, 'test'); // ✅
Pull #2574 looks like it introduced breaking changes that set the
Object
prototype to null (and notObject.prototype
). A consequence of this is that returned records can no longer call methods ofObject.prototype
such ashasOwnProperty
.