diff options
| author | Tobias Nießen <tniessen@tnie.de> | 2021-12-21 21:03:15 +0300 |
|---|---|---|
| committer | Richard Lau <rlau@redhat.com> | 2022-01-07 18:57:20 +0300 |
| commit | e2a74f3c99f415757e8d3299983eda67e71051ad (patch) | |
| tree | 4090a344c2d40330c248cb3a0fdad5050a1cbb77 | |
| parent | 9f2c52617f7910eebe194981d7caf9824a4aba44 (diff) | |
console: fix prototype pollution via console.table
CVE-ID: CVE-2022-21824
PR-URL: https://github.com/nodejs-private/node-private/pull/307
Refs: https://hackerone.com/reports/1431042
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
| -rw-r--r-- | lib/internal/console/constructor.js | 3 | ||||
| -rw-r--r-- | test/parallel/test-console-table.js | 15 |
2 files changed, 17 insertions, 1 deletions
diff --git a/lib/internal/console/constructor.js b/lib/internal/console/constructor.js index c3716a8acda..7881dc1c133 100644 --- a/lib/internal/console/constructor.js +++ b/lib/internal/console/constructor.js @@ -15,6 +15,7 @@ const { MathFloor, Number, NumberPrototypeToFixed, + ObjectCreate, ObjectDefineProperties, ObjectDefineProperty, ObjectKeys, @@ -555,7 +556,7 @@ const consoleMethods = { return final([iterKey, valuesKey], [getIndexArray(length), values]); } - const map = {}; + const map = ObjectCreate(null); let hasPrimitives = false; const valuesKeyArray = []; const indexKeyArray = ObjectKeys(tabularData); diff --git a/test/parallel/test-console-table.js b/test/parallel/test-console-table.js index ac414918dab..fb1de08323e 100644 --- a/test/parallel/test-console-table.js +++ b/test/parallel/test-console-table.js @@ -276,3 +276,18 @@ test({ foo: '你好', bar: 'hello' }, ` │ bar │ 'hello' │ └─────────┴─────────┘ `); + +// Regression test for prototype pollution via console.table. Earlier versions +// of Node.js created an object with a non-null prototype within console.table +// and then wrote to object[column][index], which lead to an error as well as +// modifications to Object.prototype. +test([{ foo: 10 }, { foo: 20 }], ['__proto__'], ` +┌─────────┬───────────┐ +│ (index) │ __proto__ │ +├─────────┼───────────┤ +│ 0 │ │ +│ 1 │ │ +└─────────┴───────────┘ +`); +assert.strictEqual('0' in Object.prototype, false); +assert.strictEqual('1' in Object.prototype, false); |