`Object.freeze(NODEJS_BUILTIN_GLOBAL_AND_ITS_PROTOTYPE)` may lead to crash

[loynoir]

Version

v18.12.0

Platform

No response

Subsystem

No response

What steps will reproduce the bug?

Protect from prototype pollution inspired by https://github.com/snyk-labs/nopp/blob/main/index.js

reproduce.mjs

import globals from "globals";

for (const k of [...new Set(Object.values(globals).map(x => Object.keys(x)).flat())]) {
  if (k in globalThis) {
    const v = globalThis[k]
    try { Object.freeze(v) } catch { }
    try { Object.freeze(v.prototype) } catch { }
  }
}

How often does it reproduce? Is there a required condition?

No response

What is the expected behavior?

No error.

What do you see instead?

$ node
Welcome to Node.js v18.12.0.
> void await import('./reproduce.mjs')
Uncaught TypeError: Cannot delete property 'crypto' of #<Object>
> crypto
Uncaught TypeError: Cannot delete property 'crypto' of #<Object>
    at get (node:internal/modules/cjs/helpers:181:23)
> globalThis.crypto
Uncaught TypeError: Cannot delete property 'crypto' of #<Object>
    at get (node:internal/modules/cjs/helpers:181:23)

Additional information

No response

[aduh95]

I don't understand you are asking, are you:

• reporting an instance where prototype pollution makes Node.js crash, in which case, can you share the content of reproduce.mjs?
• Asking for Node.js to freeze the built-in objects, in which case, have you heard of --frozen-intrinsics?

[loynoir]

@aduh95

1. Below is reproduce.mjs which is modified from snyk-labs/nopp

import globals from "globals";

for (const k of [...new Set(Object.values(globals).map(x => Object.keys(x)).flat())]) {
  if (k in globalThis) {
    const v = globalThis[k]
    try { Object.freeze(v) } catch { }
    try { Object.freeze(v.prototype) } catch { }
  }
}

2. Ah, just know --frozen-intrinsics now.

[aduh95]

Here's a smaller repro:

$ node --no-experimental-global-webcrypto --use-strict -e 'Object.defineProperty(global, "crypto", { configurable: false });crypto'
node:internal/modules/cjs/helpers:181
        delete object[name];
                      ^

TypeError: Cannot delete property 'crypto' of #<Object>
    at get (node:internal/modules/cjs/helpers:181:9)
    at [eval]:1:66
    at Script.runInThisContext (node:vm:129:12)
    at Object.runInThisContext (node:vm:307:38)
    at node:internal/process/execution:83:21
    at [eval]-wrapper:6:24
    at runScript (node:internal/process/execution:82:62)
    at evalScript (node:internal/process/execution:104:10)
    at node:internal/main/eval_string:50:3

Node.js v20.0.0-pre