Skip to content

[v16.x backport] lib: make primordials Promise methods safe #38878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[v16.x backport] lib: make primordials Promise methods safe #38878

wants to merge 1 commit into from

Conversation

@aduh95
Copy link
Contributor

@aduh95 aduh95 commented May 31, 2021

catch and finally methods on %Promise.prototype% looks up the then
property of the instance, making it at risk of prototype pollution.

PR-URL: #38650
Refs: https://tc39.es/ecma262/#sec-promise.prototype.catch
Reviewed-By: James M Snell jasnell@gmail.com
Reviewed-By: Matteo Collina matteo.collina@gmail.com

@github-actions github-actions bot added fs Issues and PRs related to the fs subsystem / file system. needs-ci PRs that need a full CI run. v16.x labels May 31, 2021
@aduh95
lib: make primordials Promise methods safe
c1f6323 
`catch` and `finally` methods on %Promise.prototype% looks up the `then`
property of the instance, making it at risk of prototype pollution.

PR-URL: nodejs#38650
Refs: https://tc39.es/ecma262/#sec-promise.prototype.catch
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
@Lxxyx Lxxyx added request-ci Add this label to start a Jenkins CI on a PR. and removed needs-ci PRs that need a full CI run. labels Jun 11, 2021
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jun 11, 2021
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jun 11, 2021

CI: https://ci.nodejs.org/job/node-test-pull-request/38580/

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jun 13, 2021

CI: https://ci.nodejs.org/job/node-test-pull-request/38604/

targos pushed a commit that referenced this pull request Jun 14, 2021
@aduh95 @targos
lib: make primordials Promise methods safe
ded8335 
`catch` and `finally` methods on %Promise.prototype% looks up the `then`
property of the instance, making it at risk of prototype pollution.

PR-URL: #38650
Backport-PR-URL: #38878
Refs: https://tc39.es/ecma262/#sec-promise.prototype.catch
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
@targos
Copy link
Member

targos commented Jun 14, 2021

Landed in ded8335

@targos targos closed this Jun 14, 2021
@aduh95 aduh95 deleted the backport-38259 branch June 14, 2021 07:44
danielleadams pushed a commit that referenced this pull request Jun 17, 2021
@aduh95 @danielleadams
lib: make primordials Promise methods safe
46a32fd 
`catch` and `finally` methods on %Promise.prototype% looks up the `then`
property of the instance, making it at risk of prototype pollution.

PR-URL: #38650
Backport-PR-URL: #38878
Refs: https://tc39.es/ecma262/#sec-promise.prototype.catch
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Lxxyx Lxxyx Lxxyx approved these changes

+3 more reviewers

@danielleadams danielleadams danielleadams approved these changes

@theoludwig theoludwig theoludwig approved these changes

@bl-ue bl-ue bl-ue approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

fs Issues and PRs related to the fs subsystem / file system.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@aduh95 @nodejs-github-bot @targos @danielleadams @Lxxyx @theoludwig @bl-ue