module: protect against prototype mutation

aduh95 · juanarbol · commit b66517191196 · 2022-10-11T14:45:10.000-05:00
Ensures that mutating the `Object` prototype does not influence the parsing of `package.json` files. PR-URL: #44007 Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
diff --git a/lib/internal/modules/cjs/helpers.js b/lib/internal/modules/cjs/helpers.js
@@ -24,6 +24,7 @@ const path = require('path');
 const{pathToFileURL, fileURLToPath, URL } = require('internal/url');
 
 const{getOptionValue } = require('internal/options');
+const{setOwnProperty } = require('internal/util');
 const userConditions = getOptionValue('--conditions');
 
 let debug = require('internal/util/debuglog').debuglog('module', (fn) =>{
@@ -117,7 +118,7 @@ function makeRequireFunction(mod, redirects){
 
 resolve.paths = paths;
 
- require.main = process.mainModule;
+ setOwnProperty(require, 'main', process.mainModule);
 
 // Enable support to add extra extension types.
 require.extensions = Module._extensions;
diff --git a/lib/internal/modules/cjs/loader.js b/lib/internal/modules/cjs/loader.js
@@ -79,7 +79,7 @@ const{
 maybeCacheSourceMap,
 } = require('internal/source_map/source_map_cache');
 const{pathToFileURL, fileURLToPath, isURLInstance } = require('internal/url');
-const{deprecate, kEmptyObject } = require('internal/util');
+const{deprecate, kEmptyObject, filterOwnProperties, setOwnProperty } = require('internal/util');
 const vm = require('vm');
 const assert = require('internal/assert');
 const fs = require('fs');
@@ -172,7 +172,7 @@ const moduleParentCache = new SafeWeakMap();
 function Module(id = '', parent){
 this.id = id;
 this.path = path.dirname(id);
- this.exports ={};
+ setOwnProperty(this, 'exports',{});
 moduleParentCache.set(this, parent);
 updateChildren(parent, this, false);
 this.filename = null;
@@ -312,14 +312,13 @@ function readPackage(requestPath){
 }
 
 try{
- const parsed = JSONParse(json);
- const filtered ={
- name: parsed.name,
- main: parsed.main,
- exports: parsed.exports,
- imports: parsed.imports,
- type: parsed.type
- };
+ const filtered = filterOwnProperties(JSONParse(json), [
+ 'name',
+ 'main',
+ 'exports',
+ 'imports',
+ 'type',
+ ]);
 packageJsonCache.set(jsonPath, filtered);
 return filtered;
 } catch (e){
@@ -1191,7 +1190,7 @@ Module._extensions['.json'] = function(module, filename){
 }
 
 try{
- module.exports = JSONParse(stripBOM(content));
+ setOwnProperty(module, 'exports', JSONParse(stripBOM(content)));
 } catch (err){
 err.message = filename + ': ' + err.message;
 throw err;
diff --git a/lib/internal/modules/esm/package_config.js b/lib/internal/modules/esm/package_config.js
@@ -2,6 +2,7 @@
 
 const{
 JSONParse,
+ ObjectPrototypeHasOwnProperty,
 SafeMap,
 StringPrototypeEndsWith,
 } = primordials;
@@ -11,6 +12,7 @@ const{
 } = require('internal/errors').codes;
 
 const packageJsonReader = require('internal/modules/package_json_reader');
+const{filterOwnProperties } = require('internal/util');
 
 
 /**
@@ -66,8 +68,8 @@ function getPackageConfig(path, specifier, base){
 );
 }
 
- let{imports, main, name, type } = packageJSON;
- const{exports } = packageJSON;
+ let{imports, main, name, type } = filterOwnProperties(packageJSON, ['imports', 'main', 'name', 'type']);
+ const exports = ObjectPrototypeHasOwnProperty(packageJSON, 'exports') ? packageJSON.exports : undefined;
 if (typeof imports !== 'object' || imports === null){
 imports = undefined;
 }
diff --git a/lib/internal/util.js b/lib/internal/util.js
@@ -14,6 +14,7 @@ const{
 ObjectGetOwnPropertyDescriptors,
 ObjectGetPrototypeOf,
 ObjectFreeze,
+ ObjectPrototypeHasOwnProperty,
 ObjectSetPrototypeOf,
 Promise,
 ReflectApply,
@@ -518,6 +519,35 @@ ObjectFreeze(kEnumerableProperty);
 
 const kEmptyObject = ObjectFreeze(ObjectCreate(null));
 
+function filterOwnProperties(source, keys){
+ const filtered = ObjectCreate(null);
+ for (let i = 0; i < keys.length; i++){
+ const key = keys[i];
+ if (ObjectPrototypeHasOwnProperty(source, key)){
+ filtered[key] = source[key];
+ }
+ }
+
+ return filtered;
+}
+
+/**
+ * Mimics `obj[key] = value` but ignoring potential prototype inheritance.
+ * @param{any} obj
+ * @param{string} key
+ * @param{any} value
+ * @returns{any}
+ */
+function setOwnProperty(obj, key, value){
+ return ObjectDefineProperty(obj, key,{
+ __proto__: null,
+ configurable: true,
+ enumerable: true,
+ value,
+ writable: true,
+ });
+}
+
 module.exports ={
 assertCrypto,
 cachedResult,
@@ -530,6 +560,7 @@ module.exports ={
 emitExperimentalWarning,
 exposeInterface,
 filterDuplicateStrings,
+ filterOwnProperties,
 getConstructorOf,
 getSystemErrorMap,
 getSystemErrorName,
@@ -560,4 +591,5 @@ module.exports ={
 
 kEmptyObject,
 kEnumerableProperty,
+ setOwnProperty,
 };
diff --git a/test/fixtures/es-module-specifiers/index.mjs b/test/fixtures/es-module-specifiers/index.mjs
@@ -1,10 +1,11 @@
 import explicit from 'explicit-main';
 import implicit from 'implicit-main';
 import implicitModule from 'implicit-main-type-module';
+import noMain from 'no-main-field';
 
 function getImplicitCommonjs (){
 return import('implicit-main-type-commonjs');
 }
 
-export{explicit, implicit, implicitModule, getImplicitCommonjs};
+export{explicit, implicit, implicitModule, getImplicitCommonjs, noMain};
 export default 'success';
diff --git a/test/fixtures/es-module-specifiers/node_modules/no-main-field/index.js b/test/fixtures/es-module-specifiers/node_modules/no-main-field/index.js
diff --git a/test/fixtures/es-module-specifiers/node_modules/no-main-field/package.json b/test/fixtures/es-module-specifiers/node_modules/no-main-field/package.json
diff --git a/test/parallel/test-module-prototype-mutation.js b/test/parallel/test-module-prototype-mutation.js
@@ -0,0 +1,43 @@
+'use strict';
+const common = require('../common');
+const fixtures = require('../common/fixtures');
+const assert = require('assert');
+
+Object.defineProperty(Object.prototype, 'name',{
+ __proto__: null,
+ get: common.mustNotCall('get %Object.prototype%.name'),
+ set: common.mustNotCall('set %Object.prototype%.name'),
+ enumerable: false,
+});
+Object.defineProperty(Object.prototype, 'main',{
+ __proto__: null,
+ get: common.mustNotCall('get %Object.prototype%.main'),
+ set: common.mustNotCall('set %Object.prototype%.main'),
+ enumerable: false,
+});
+Object.defineProperty(Object.prototype, 'type',{
+ __proto__: null,
+ get: common.mustNotCall('get %Object.prototype%.type'),
+ set: common.mustNotCall('set %Object.prototype%.type'),
+ enumerable: false,
+});
+Object.defineProperty(Object.prototype, 'exports',{
+ __proto__: null,
+ get: common.mustNotCall('get %Object.prototype%.exports'),
+ set: common.mustNotCall('set %Object.prototype%.exports'),
+ enumerable: false,
+});
+Object.defineProperty(Object.prototype, 'imports',{
+ __proto__: null,
+ get: common.mustNotCall('get %Object.prototype%.imports'),
+ set: common.mustNotCall('set %Object.prototype%.imports'),
+ enumerable: false,
+});
+
+assert.strictEqual(
+ require(fixtures.path('es-module-specifiers', 'node_modules', 'no-main-field')),
+ 'no main field'
+);
+
+import(fixtures.fileURL('es-module-specifiers', 'index.mjs'))
+ .then(common.mustCall((module) => assert.strictEqual(module.noMain, 'no main field')));

-Original file line number
+Diff line change
 const{ pathToFileURL, fileURLToPath,URL}=require('internal/url');
 const{ getOptionValue }=require('internal/options');
 +const{ setOwnProperty }=require('internal/util');
 constuserConditions=getOptionValue('--conditions');
 letdebug=require('internal/util/debuglog').debuglog('module',(fn)=>{
 resolve.paths=paths;
 -require.main=process.mainModule;
 +setOwnProperty(require,'main',process.mainModule);
 // Enable support to add extra extension types.
 require.extensions=Module._extensions;
-Original file line number
+Diff line change
  maybeCacheSourceMap,
 }=require('internal/source_map/source_map_cache');
 const{ pathToFileURL, fileURLToPath, isURLInstance }=require('internal/url');
 -const{ deprecate, kEmptyObject }=require('internal/util');
 +const{ deprecate, kEmptyObject, filterOwnProperties, setOwnProperty}=require('internal/util');
 constvm=require('vm');
 constassert=require('internal/assert');
 constfs=require('fs');
 functionModule(id='',parent){
 this.id=id;
 this.path=path.dirname(id);
 -this.exports={};
 +setOwnProperty(this,'exports',{});
 moduleParentCache.set(this,parent);
 updateChildren(parent,this,false);
 this.filename=null;
+}
 try{
 -constparsed=JSONParse(json);
 -constfiltered={
 -name: parsed.name,
 -main: parsed.main,
 -exports: parsed.exports,
 -imports: parsed.imports,
 -type: parsed.type
 -};
 +constfiltered=filterOwnProperties(JSONParse(json),[
 +'name',
 +'main',
 +'exports',
 +'imports',
 +'type',
 +]);
 packageJsonCache.set(jsonPath,filtered);
 returnfiltered;
 }catch(e){
+}
 try{
 -module.exports=JSONParse(stripBOM(content));
 +setOwnProperty(module,'exports',JSONParse(stripBOM(content)));
 }catch(err){
 err.message=filename+': '+err.message;
 throwerr;
-Original file line number
+Diff line change
 const{
  JSONParse,
 + ObjectPrototypeHasOwnProperty,
  SafeMap,
  StringPrototypeEndsWith,
 }=primordials;
 }=require('internal/errors').codes;
 constpackageJsonReader=require('internal/modules/package_json_reader');
 +const{ filterOwnProperties }=require('internal/util');
 /**
 );
+}
 -let{ imports, main, name, type }=packageJSON;
 -const{exports }=packageJSON;
 +let{ imports, main, name, type }=filterOwnProperties(packageJSON,['imports','main','name','type']);
 +constexports=ObjectPrototypeHasOwnProperty(packageJSON,'exports') ? packageJSON.exports : undefined;
 if(typeofimports!=='object'||imports===null){
 imports=undefined;
+}
-Original file line number
+Diff line change
@@ @@ -1,10 +1,11 @@ @@
 importexplicitfrom'explicit-main';
 importimplicitfrom'implicit-main';
 importimplicitModulefrom'implicit-main-type-module';
 +importnoMainfrom'no-main-field';
 functiongetImplicitCommonjs(){
 returnimport('implicit-main-type-commonjs');
+}
 -export{explicit,implicit,implicitModule,getImplicitCommonjs};
 +export{explicit,implicit,implicitModule,getImplicitCommonjs,noMain};
 exportdefault'success';