Tiny helper to protect against Prototype Pollution vulnerabilities in your application regardless if they introduced in your own code or in 3rd-party code
MIT License
20
stars
5
forks
source link
[BUG]: harmless updates to objects are also blocked #5
This is useful but it seems to be quite impractical to use unfortunately. Even harmless updates are blocked, causing a runtime error. Such updates could happen at any time in your program, especially in libraries you don't control. Are there any known workarounds for this?
Steps To Reproduce
import 'nopp'
const o = {}
o.toString = function () { return '10' } // runtime error
toString is defined on Object.prototype and the freezing process prevents us even from shadowing toString on our own object. (The same is true for valueOf).
Is there an existing issue for this?
Description of the bug
This is useful but it seems to be quite impractical to use unfortunately. Even harmless updates are blocked, causing a runtime error. Such updates could happen at any time in your program, especially in libraries you don't control. Are there any known workarounds for this?
Steps To Reproduce
toStringis defined onObject.prototypeand the freezing process prevents us even from shadowingtoStringon our own object. (The same is true forvalueOf).You can get around this like this:
or if you happen to have included
toStringwhen you made the object:but all in all it's really hard to be sure there won't be runtime errors if you're using any libraries.
Additional Information
No response