lib: make safe primordials Promise methods

`catch` and `finally` methods on %Promise.prototype% looks up the `then`
property of the instance, making it at risk of prototype pollution.

Author: aduh95

lib/internal/per_context/primordials.js

@@ -253,6 +253,8 @@ const {
   Map,
   ObjectFreeze,
   ObjectSetPrototypeOf,
+  Promise,
+  PromisePrototypeThen,
   Set,
   SymbolIterator,
   WeakMap,
@@ -384,5 +386,23 @@ primordials.SafeWeakRef = makeSafe(
   }
 );
 
+const SafePromise = makeSafe(
+  Promise,
+  class SafePromise extends Promise {
+    // eslint-disable-next-line no-useless-constructor
+    constructor(executor) { super(executor); }
+  }
+);
+
+primordials.PromisePrototypeCatch = (thisPromise, onRejected) =>
+  PromisePrototypeThen(thisPromise, undefined, onRejected);
+
+primordials.PromisePrototypeFinally = (thisPromise, onFinally) =>
+  new Promise((a, b) =>
+    new SafePromise((a, b) => PromisePrototypeThen(thisPromise, a, b))
+      .finally(onFinally)
+      .then(a, b)
+  );
+
 ObjectSetPrototypeOf(primordials, null);
 ObjectFreeze(primordials);

test/parallel/test-primordials-promise.js

@@ -0,0 +1,15 @@
+// Flags: --expose-internals
+'use strict';
+
+const common = require('../common');
+
+const {
+  PromisePrototype,
+  PromisePrototypeCatch,
+  PromisePrototypeFinally,
+} = require('internal/test/binding').primordials;
+
+PromisePrototype.then = common.mustNotCall();
+
+PromisePrototypeCatch(Promise.reject(), common.mustCall());
+PromisePrototypeFinally(Promise.resolve(), common.mustCall());