diff options
| author | Tobias Nießen <tniessen@tnie.de> | 2021-12-21 18:03:15 +0000 |
|---|---|---|
| committer | Richard Lau <rlau@redhat.com> | 2022-01-10 22:38:05 +0000 |
| commit | 3454e797137b1706b11ff2f6f7fb60263b39396b (patch) | |
| tree | bc9e0ce2a985e2c93977ac5bb67e54b591828204 | |
| parent | a336444c7fb9fd1d0055481d84cdd57d7d569879 (diff) | |
| download | node-new-3454e797137b1706b11ff2f6f7fb60263b39396b.tar.gz | |
console: fix prototype pollution via console.table
CVE-ID: CVE-2022-21824
PR-URL: https://github.com/nodejs-private/node-private/pull/307
Refs: https://hackerone.com/reports/1431042
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
| -rw-r--r-- | lib/internal/console/constructor.js | 3 | ||||
| -rw-r--r-- | test/parallel/test-console-table.js | 15 |
2 files changed, 17 insertions, 1 deletions
diff --git a/lib/internal/console/constructor.js b/lib/internal/console/constructor.js index 92c6d72933..695a56164b 100644 --- a/lib/internal/console/constructor.js +++ b/lib/internal/console/constructor.js @@ -15,6 +15,7 @@ const { MathFloor, Number, NumberPrototypeToFixed, + ObjectCreate, ObjectDefineProperties, ObjectDefineProperty, ObjectKeys, @@ -554,7 +555,7 @@ const consoleMethods = { return final([iterKey, valuesKey], [getIndexArray(length), values]); } - const map = {}; + const map = ObjectCreate(null); let hasPrimitives = false; const valuesKeyArray = []; const indexKeyArray = ObjectKeys(tabularData); diff --git a/test/parallel/test-console-table.js b/test/parallel/test-console-table.js index ac414918da..fb1de08323 100644 --- a/test/parallel/test-console-table.js +++ b/test/parallel/test-console-table.js @@ -276,3 +276,18 @@ test({ foo: '你好', bar: 'hello' }, ` │ bar │ 'hello' │ └─────────┴─────────┘ `); + +// Regression test for prototype pollution via console.table. Earlier versions +// of Node.js created an object with a non-null prototype within console.table +// and then wrote to object[column][index], which lead to an error as well as +// modifications to Object.prototype. +test([{ foo: 10 }, { foo: 20 }], ['__proto__'], ` +┌─────────┬───────────┐ +│ (index) │ __proto__ │ +├─────────┼───────────┤ +│ 0 │ │ +│ 1 │ │ +└─────────┴───────────┘ +`); +assert.strictEqual('0' in Object.prototype, false); +assert.strictEqual('1' in Object.prototype, false); |