util: do not rely on mutable Object and Function' constructor prop

PR-URL: #56188Fixes: #55924 Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Jordan Harband <[email protected]>

Author: aduh95

lib/internal/util/inspect.js

@@ -22,8 +22,11 @@ const{
  DatePrototypeToISOString,
  DatePrototypeToString,
  ErrorPrototypeToString,
+ Function,
+ FunctionPrototype,
  FunctionPrototypeBind,
  FunctionPrototypeCall,
+ FunctionPrototypeSymbolHasInstance,
  FunctionPrototypeToString,
  JSONStringify,
  MapPrototypeEntries,
@@ -50,6 +53,7 @@ const{
  ObjectGetPrototypeOf,
  ObjectIs,
  ObjectKeys,
+ ObjectPrototype,
  ObjectPrototypeHasOwnProperty,
  ObjectPrototypePropertyIsEnumerable,
  ObjectSeal,
@@ -593,10 +597,26 @@ function isInstanceof(object, proto){
 }
 }
 
+// Special-case for some builtin prototypes in case their `constructor` property has been tampered.
+constwellKnownPrototypes=newSafeMap();
+wellKnownPrototypes.set(ObjectPrototype,{name: 'Object',constructor: Object});
+wellKnownPrototypes.set(FunctionPrototype,{name: 'Function',constructor: Function});
+
 functiongetConstructorName(obj,ctx,recurseTimes,protoProps){
 letfirstProto;
 consttmp=obj;
 while(obj||isUndetectableObject(obj)){
+constwellKnownPrototypeNameAndConstructor=wellKnownPrototypes.get(obj);
+if(wellKnownPrototypeNameAndConstructor!=null){
+const{ name, constructor }=wellKnownPrototypeNameAndConstructor;
+if(FunctionPrototypeSymbolHasInstance(constructor,tmp)){
+if(protoProps!==undefined&&firstProto!==obj){
+addPrototypeProperties(
+ctx,tmp,firstProto||tmp,recurseTimes,protoProps);
+}
+returnname;
+}
+}
 constdescriptor=ObjectGetOwnPropertyDescriptor(obj,'constructor');
 if(descriptor!==undefined&&
 typeofdescriptor.value==='function'&&
@@ -954,7 +974,11 @@ function formatRaw(ctx, value, recurseTimes, typedArray){
 if(noIterator){
 keys=getKeys(value,ctx.showHidden);
 braces=['{','}'];
-if(constructor==='Object'){
+if(typeofvalue==='function'){
+base=getFunctionBase(value,constructor,tag);
+if(keys.length===0&&protoProps===undefined)
+returnctx.stylize(base,'special');
+}elseif(constructor==='Object'){
 if(isArgumentsObject(value)){
 braces[0]='[Arguments]{';
 }elseif(tag!==''){
@@ -963,10 +987,6 @@ function formatRaw(ctx, value, recurseTimes, typedArray){
 if(keys.length===0&&protoProps===undefined){
 return`${braces[0]}}`;
 }
-}elseif(typeofvalue==='function'){
-base=getFunctionBase(value,constructor,tag);
-if(keys.length===0&&protoProps===undefined)
-returnctx.stylize(base,'special');
 }elseif(isRegExp(value)){
 // Make RegExps say that they are RegExps
 base=RegExpPrototypeToString(

test/parallel/test-util-inspect.js

@@ -3323,3 +3323,33 @@ assert.strictEqual(
 }
 }),'{[Symbol(Symbol.iterator)]: [Getter] }');
 }
+
+{
+consto={};
+const{prototype: BuiltinPrototype}=Object;
+constdesc=Reflect.getOwnPropertyDescriptor(BuiltinPrototype,'constructor');
+Object.defineProperty(BuiltinPrototype,'constructor',{
+get: ()=>BuiltinPrototype,
+configurable: true,
+});
+assert.strictEqual(
+util.inspect(o),
+'{}',
+);
+Object.defineProperty(BuiltinPrototype,'constructor',desc);
+}
+
+{
+consto={f(){}};
+const{prototype: BuiltinPrototype}=Function;
+constdesc=Reflect.getOwnPropertyDescriptor(BuiltinPrototype,'constructor');
+Object.defineProperty(BuiltinPrototype,'constructor',{
+get: ()=>BuiltinPrototype,
+configurable: true,
+});
+assert.strictEqual(
+util.inspect(o),
+'{f: [Function: f] }',
+);
+Object.defineProperty(BuiltinPrototype,'constructor',desc);
+}