From c763514c1420de6656c15c1d44b0a04da6abbeae Mon Sep 17 00:00:00 2001 From: Colin Ihrig Date: Wed, 7 Sep 2022 09:11:16 -0400 Subject: [PATCH] fix(core): make errors more resistant to tampering (#15789) This commit makes error objects more resistant to prototype tampering. This bug was found when updating the deno_std Node compatibility layer to Node 18. The Node test 'parallel/test-assert-fail.js' was breaking std's assertion library. Refs: https://github.com/denoland/deno_std/pull/2585 --- cli/tests/unit/error_test.ts | 10 +++++++++- core/02_error.js | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/cli/tests/unit/error_test.ts b/cli/tests/unit/error_test.ts index 444b0445ac..f3c9e20e6b 100644 --- a/cli/tests/unit/error_test.ts +++ b/cli/tests/unit/error_test.ts @@ -1,5 +1,5 @@ // Copyright 2018-2022 the Deno authors. All rights reserved. MIT license. -import { assert } from "./test_util.ts"; +import { assert, assertThrows, fail } from "./test_util.ts"; Deno.test("Errors work", () => { assert(new Deno.errors.NotFound("msg") instanceof Error); @@ -22,3 +22,11 @@ Deno.test("Errors work", () => { assert(new Deno.errors.Busy("msg") instanceof Error); assert(new Deno.errors.NotSupported("msg") instanceof Error); }); + +Deno.test("Errors have some tamper resistance", () => { + // deno-lint-ignore no-explicit-any + (Object.prototype as any).get = () => {}; + assertThrows(() => fail("test error"), Error, "test error"); + // deno-lint-ignore no-explicit-any + delete (Object.prototype as any).get; +}); diff --git a/core/02_error.js b/core/02_error.js index edb9c48436..d8e823bb2a 100644 --- a/core/02_error.js +++ b/core/02_error.js @@ -127,7 +127,7 @@ let callSiteEvals = ArrayPrototypeMap(callSites, evaluateCallSite); callSiteEvals = ArrayPrototypeMap(callSiteEvals, sourceMapCallSiteEval); ObjectDefineProperties(error, { - __callSiteEvals: { value: [], configurable: true }, + __callSiteEvals: { __proto__: null, value: [], configurable: true }, }); const formattedCallSites = []; for (const cse of callSiteEvals) {