diff options
| author | Kenta Moriuchi <moriken@kimamass.com> | 2023-04-26 07:36:22 +0900 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-04-26 00:36:22 +0200 |
| commit | 9b49de46446f3acb3081bfa809652a8a66d54bfb (patch) | |
| tree | d8ab2b27927928230d8a7d6ca9b06e6a16c2d068 | |
| parent | 97820fe8abb15baabaf6b6eed632514867c7d97d (diff) | |
fix(core): Wrap safe collections' argument of primordials (#18750)
| -rw-r--r-- | cli/tests/unit/websocket_test.ts | 22 | ||||
| -rw-r--r-- | core/00_primordials.js | 24 | ||||
| -rw-r--r-- | ext/console/02_console.js | 4 |
3 files changed, 44 insertions, 6 deletions
diff --git a/cli/tests/unit/websocket_test.ts b/cli/tests/unit/websocket_test.ts index 999eede41..795d5ebc1 100644 --- a/cli/tests/unit/websocket_test.ts +++ b/cli/tests/unit/websocket_test.ts @@ -147,3 +147,25 @@ Deno.test({ }; await Promise.all([promise, server]); }); + +Deno.test( + { sanitizeOps: false }, + function websocketConstructorWithPrototypePollusion() { + const originalSymbolIterator = Array.prototype[Symbol.iterator]; + try { + Array.prototype[Symbol.iterator] = () => { + throw Error("unreachable"); + }; + assertThrows(() => { + new WebSocket( + new URL("ws://localhost:4242/"), + // Allow `Symbol.iterator` to be called in WebIDL conversion to `sequence<DOMString>` + // deno-lint-ignore no-explicit-any + ["soap", "soap"].values() as any, + ); + }, DOMException); + } finally { + Array.prototype[Symbol.iterator] = originalSymbolIterator; + } + }, +); diff --git a/core/00_primordials.js b/core/00_primordials.js index f49a11de4..60474e649 100644 --- a/core/00_primordials.js +++ b/core/00_primordials.js @@ -405,7 +405,11 @@ Map, class SafeMap extends Map { constructor(i) { - super(i); + if (i == null) { + super(); + return; + } + super(new SafeArrayIterator(i)); } }, ); @@ -413,7 +417,11 @@ WeakMap, class SafeWeakMap extends WeakMap { constructor(i) { - super(i); + if (i == null) { + super(); + return; + } + super(new SafeArrayIterator(i)); } }, ); @@ -422,7 +430,11 @@ Set, class SafeSet extends Set { constructor(i) { - super(i); + if (i == null) { + super(); + return; + } + super(new SafeArrayIterator(i)); } }, ); @@ -430,7 +442,11 @@ WeakSet, class SafeWeakSet extends WeakSet { constructor(i) { - super(i); + if (i == null) { + super(); + return; + } + super(new SafeArrayIterator(i)); } }, ); diff --git a/ext/console/02_console.js b/ext/console/02_console.js index 3e55efb74..5873a2ec2 100644 --- a/ext/console/02_console.js +++ b/ext/console/02_console.js @@ -56,7 +56,7 @@ const { SafeArrayIterator, SafeMap, SafeStringIterator, - SafeSet, + SafeSetIterator, SafeRegExp, SetPrototype, SetPrototypeEntries, @@ -2158,7 +2158,7 @@ class Console { const indexKey = isSet || isMap ? "(iter idx)" : "(idx)"; if (isSet) { - resultData = [...new SafeSet(data)]; + resultData = [...new SafeSetIterator(data)]; } else if (isMap) { let idx = 0; resultData = {}; |