Skip to content

[v16.x backport] lib: make primordials Promise methods safe#38878

Closed
aduh95 wants to merge 1 commit intonodejs:v16.x-stagingfrom
aduh95:backport-38259
Closed

[v16.x backport] lib: make primordials Promise methods safe#38878
aduh95 wants to merge 1 commit intonodejs:v16.x-stagingfrom
aduh95:backport-38259

Conversation

@aduh95
Copy link
Contributor

@aduh95 aduh95 commented May 31, 2021

catch and finally methods on %Promise.prototype% looks up the then
property of the instance, making it at risk of prototype pollution.

PR-URL: #38650
Refs: https://tc39.es/ecma262/#sec-promise.prototype.catch
Reviewed-By: James M Snell jasnell@gmail.com
Reviewed-By: Matteo Collina matteo.collina@gmail.com

@github-actions github-actions bot added fs Issues and PRs related to the fs subsystem / file system. needs-ci PRs that need a full CI run. v16.x labels May 31, 2021
@aduh95
lib: make primordials Promise methods safe
c1f6323 
`catch` and `finally` methods on %Promise.prototype% looks up the `then`
property of the instance, making it at risk of prototype pollution.

PR-URL: nodejs#38650
Refs: https://tc39.es/ecma262/#sec-promise.prototype.catch
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
@Lxxyx Lxxyx added request-ci Add this label to start a Jenkins CI on a PR. and removed needs-ci PRs that need a full CI run. labels Jun 11, 2021
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jun 11, 2021
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jun 11, 2021

CI: https://ci.nodejs.org/job/node-test-pull-request/38580/

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jun 13, 2021

CI: https://ci.nodejs.org/job/node-test-pull-request/38604/

targos pushed a commit that referenced this pull request Jun 14, 2021
@aduh95 @targos
lib: make primordials Promise methods safe
ded8335 
`catch` and `finally` methods on %Promise.prototype% looks up the `then`
property of the instance, making it at risk of prototype pollution.

PR-URL: #38650
Backport-PR-URL: #38878
Refs: https://tc39.es/ecma262/#sec-promise.prototype.catch
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
@targos
Copy link
Member

targos commented Jun 14, 2021

Landed in ded8335

@targos targos closed this Jun 14, 2021
@aduh95 aduh95 deleted the backport-38259 branch June 14, 2021 07:44
danielleadams pushed a commit that referenced this pull request Jun 17, 2021
@aduh95 @danielleadams
lib: make primordials Promise methods safe
46a32fd 
`catch` and `finally` methods on %Promise.prototype% looks up the `then`
property of the instance, making it at risk of prototype pollution.

PR-URL: #38650
Backport-PR-URL: #38878
Refs: https://tc39.es/ecma262/#sec-promise.prototype.catch
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Lxxyx Lxxyx Lxxyx approved these changes

+3 more reviewers

@danielleadams danielleadams danielleadams approved these changes

@theoludwig theoludwig theoludwig approved these changes

@bl-ue bl-ue bl-ue approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

fs Issues and PRs related to the fs subsystem / file system.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@aduh95 @nodejs-github-bot @targos @danielleadams @Lxxyx @theoludwig @bl-ue