node: warn for Object.prototype.__* accessors common in security warnings

[bmeck]

These accessors cause too much noise in npm security audits for the ecosystem, we should start a path to removal. Figuring out/warning on usage seems a good first step prior to actual removal. This would also be a way to verify that a security audit warning actually is affecting something rather than being false positives. These are optional/legacy in the JS language specification https://tc39.es/ecma262/#sec-object.prototype-legacy-accessor-methods

[jasnell]

Perhaps we should make these proper runtime deprecations?
/cc @addaleax

[bmeck]

I'm not opposed, is it just adding to the docs a new number to get the DEP###?

[bmeck]

added to DEP doc, idk if there is a process to do instead

[jasnell]

Look for other DEP codes in the code and you'll see how those are emitted :-)

[targos]

Example:

node/lib/sys.js

Lines 28 to 29 in e46c680

	process.emitWarning('sys is deprecated. Use util instead.',
	'DeprecationWarning', 'DEP0025');

As soon as this is changed to emit a deprecation warning, I'll launch a CITGM run with --throw-deprecation

[bmeck]

this seems difficult to wrangle without giving a unique DEP id to each accessor given the other feedback of giving more actionable feedback in #39824 (comment)

[mcollina]

We need to document this somewhere. Most experienced folks would now but not newbies.

[mcollina]

Here is a relevant discussion: #31951

[jasnell]

There is a common.expectWarning() utility.

[bmeck]

done, but it seems deprecate(...) in lib seems to only fire once per dep code so having specialized messages per accessor seems to require unique DEP codes.

[targos]

CITGM results: https://ci.nodejs.org/job/citgm-smoker/nodes=ubuntu1804-64/2751/#showFailuresLink

Unfortunately, all modules that depend on node-gyp fail at install time because of another deprecation.

• Affects ava, csv-parser, ember-cli through an old version of graceful-fs
• Affects bluebird through the cli-table module: https://github.com/Automattic/cli-table/blob/89392b27224b6a0c4a71f3085d1bdb5e9b83df9d/lib/index.js#L62, https://github.com/Automattic/cli-table/blob/89392b27224b6a0c4a71f3085d1bdb5e9b83df9d/lib/index.js#L71
• Affects body-parser through an old version of chalk
• Affects clinic through tap-mocha-reporter: https://github.com/tapjs/tap-mocha-reporter/blob/5c8846fe3655aceb7ab104e5989b469b57601c00/lib/reporters/dot.js#L62
• Seems to affect Prettier's TypeScript parser, but I can't find where it is in Prettier's repository: https://ci.nodejs.org/job/citgm-smoker/nodes=ubuntu1804-64/2751/testReport/junit/(root)/citgm/cheerio_v1_0_0_rc_10/
• Affects crc32-stream through some version of yargs-parser
• Affects commander through yargs: https://github.com/yargs/yargs/blob/395bb67749787d269cabe80ffc3133c2f6958aeb/index.cjs#L25-L43
• Affects duplexer2, esprima through some version of commander
• Affects express through cookie-session. The module is fixed but only in an alpha release.

I'm stopping here but there are many more.

[targos]

cli-table is used by 375k GitHub repositories and >2.5k npm packages
chalk versions < 4 are probably used by a lot of projects
yargs is used by millions of projects
express is used by millions of projects

Maybe we should start with a pending deprecation?

[addaleax]

I get that __proto__ is annoying, but it’s also widely used (which is why I had excluded it from #39576 as well). Runtime-deprecating that is a big breaking change.

[bmeck]

__proto__ is the main problem for CVEs regarding prototype pollution, it is the most important to figure out how to address. I am not arguing popularity or utility, just that the API is problematic in practice.

[addaleax]

Right – that’s what --disable-proto is for, no? Anyway, if we do this, it should be communicated very clearly to users.

(I also don’t think putting this behind --pending-deprecation is particularly useful, given that there already is a flag to opt-out of this behavior. If we do make the decision to runtime-deprecate fully eventually, then I guess that decision can also be made now.)

[bmeck]

--disable-proto is a bit different, it doesn't let you see that something is using __proto__ so you can fix it. It just removes it or makes it throw; also it is opt-in so the ecosystem noise is just permanent since it doesn't actually cause any sort of signal that security warning isn't a false positive.

[addaleax]

Well, I would say that throwing exceptions definitely lets you do that :)

In any case, to be clear I’m not -1 on this per se, I just think that this is a big change and we should call it out very explicitly.

[bmeck]

Throwing alters behavior, so maybe --disable-proto could get a warning mode that lets programs run and you fix it when you see it rather than taking down a process potentially?

Seems fine to have whole blog posts before this and waiting for a major to me on this PR. Since this affects legacy codebases as well it will likely also take some effort to PR things.

We could also add a flag to re-add the accessors if we ever do remove them for people needing to run legacy code.

[addaleax]

Throwing alters behavior, so maybe --disable-proto could get a warning mode that lets programs run and you fix it when you see it rather than taking down a process potentially?

I mean – yes, throwing alters behavior, but practically speaking, people will notice whether they are using __proto__ with either method, which is the point here anyw2ay.

We could also add a flag to re-add the accessors if we ever do remove them for people needing to run legacy code.

Yeah, I think in the long run that might be a good idea – just remove the accessors, but add a flag to add them for those who really need them.

[kapouer]

Too bad that --disable-proto=log wasn't an option ?

[kapouer]

On the other hand, --disable-proto=throw during development should spot all issues (if using a package lock).

[bmeck]

@targos added a guard

[bmeck]

@targos after some digging, a variety of those are all from the test reporter used: tapjs/tap-mocha-reporter#68

[bmeck]

we have patched some stuff in the wild, we should run CITGM again

[bmeck]

https://github.com/tapjs/tap-mocha-reporter has landed a fix, we should be good to try a new CITGM to see what the status is in the ecosystem.

[bmeck]

CITGM smoker running https://ci.nodejs.org/job/citgm-smoker/2863/

[aduh95]

The last CITGM run reports 81 failures, which seems to be more or less the same as master. Maybe we could land this in v18.0.0?

@bmeck can you rebase please?

[bmeck]

Have a newborn, won't be doing PR work for a few weeks

…

On Wed, Apr 6, 2022, 9:43 AM Antoine du Hamel ***@***.***> wrote: The last CITGM run reports 81 failures, which seems to be more or less the same as master. Maybe we could land this in v18.0.0? @bmeck <https://github.com/bmeck> can you rebase please? — Reply to this email directly, view it on GitHub <#39824 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABZJI6MSA43X277Y32G53DVDWPHDANCNFSM5CQ7UVQQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[mcollina]

Congrats!

[kapouer]

Was passing by here too. Nice one. Babies are so cute, and they don't have proto !