fix(aws-serverless): Remove possible prototype pollution source (#14110)

Fixes [https://github.com/getsentry/sentry-javascript/security/code-scanning/307](https://github.com/getsentry/sentry-javascript/security/code-scanning/307) To fix the prototype pollution issue, we need to ensure that the `handlerName` does not include any special properties like `__proto__`, `constructor`, or `prototype`. We can achieve this by adding a check to filter out these properties before performing the assignment. 1. Add a check to ensure `handlerName` does not include `__proto__`, `constructor`, or `prototype`. 2. If `handlerName` includes any of these properties, log an error and return without making the assignment. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
getsentry · Oct 29, 2024 · c98377b · c98377b
1 parent a091bdd
commit c98377b
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/packages/aws-serverless/src/sdk.ts b/packages/aws-serverless/src/sdk.ts
@@ -168,6 +168,12 @@ export function tryPatchHandler(taskRoot: string, handlerPath: string): void {
     return;
   }
 
+  // Check for prototype pollution
+  if (functionName === '__proto__' || functionName === 'constructor' || functionName === 'prototype') {
+    DEBUG_BUILD && logger.error(`Invalid handler name: ${functionName}`);
+    return;
+  }
+
   // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
   (mod as HandlerModule)[functionName!] = wrapHandler(obj);
 }