Skip to content

[v16.x backport] lib: make primordials Promise methods safe#38878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
aduh95 wants to merge 1 commit into from
Closed

[v16.x backport] lib: make primordials Promise methods safe #38878

aduh95 wants to merge 1 commit into from

Conversation

@aduh95
Copy link
Contributor

@aduh95aduh95 commented May 31, 2021

catch and finally methods on %Promise.prototype% looks up the then
property of the instance, making it at risk of prototype pollution.

PR-URL: #38650
Refs: https://tc39.es/ecma262/#sec-promise.prototype.catch
Reviewed-By: James M Snell [email protected]
Reviewed-By: Matteo Collina [email protected]

@github-actionsgithub-actionsbot added fs Issues and PRs related to the fs subsystem / file system. needs-ci PRs that need a full CI run. v16.x labels May 31, 2021
@aduh95
lib: make primordials Promise methods safe
c1f6323
`catch` and `finally` methods on %Promise.prototype% looks up the `then` property of the instance, making it at risk of prototype pollution. PR-URL: nodejs#38650 Refs: https://tc39.es/ecma262/#sec-promise.prototype.catch Reviewed-By: James M Snell <[email protected]> Reviewed-By: Matteo Collina <[email protected]>
@LxxyxLxxyx added request-ci Add this label to start a Jenkins CI on a PR. and removed needs-ci PRs that need a full CI run. labels Jun 11, 2021
@github-actionsgithub-actionsbot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jun 11, 2021
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jun 11, 2021

CI: https://ci.nodejs.org/job/node-test-pull-request/38580/

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jun 13, 2021

CI: https://ci.nodejs.org/job/node-test-pull-request/38604/

targos pushed a commit that referenced this pull request Jun 14, 2021
@aduh95@targos
lib: make primordials Promise methods safe
ded8335
`catch` and `finally` methods on %Promise.prototype% looks up the `then` property of the instance, making it at risk of prototype pollution. PR-URL: #38650 Backport-PR-URL: #38878 Refs: https://tc39.es/ecma262/#sec-promise.prototype.catch Reviewed-By: James M Snell <[email protected]> Reviewed-By: Matteo Collina <[email protected]>
@targos
Copy link
Member

targos commented Jun 14, 2021

Landed in ded8335

@targostargos closed this Jun 14, 2021
@aduh95aduh95 deleted the backport-38259 branch June 14, 2021 07:44
danielleadams pushed a commit that referenced this pull request Jun 17, 2021
@aduh95@danielleadams
lib: make primordials Promise methods safe
46a32fd
`catch` and `finally` methods on %Promise.prototype% looks up the `then` property of the instance, making it at risk of prototype pollution. PR-URL: #38650 Backport-PR-URL: #38878 Refs: https://tc39.es/ecma262/#sec-promise.prototype.catch Reviewed-By: James M Snell <[email protected]> Reviewed-By: Matteo Collina <[email protected]>
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LxxyxLxxyxLxxyx approved these changes

+3 more reviewers

@danielleadamsdanielleadamsdanielleadams approved these changes

@theoludwigtheoludwigtheoludwig approved these changes

@bl-uebl-uebl-ue approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

fsIssues and PRs related to the fs subsystem / file system.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@aduh95@nodejs-github-bot@targos@danielleadams@Lxxyx@theoludwig@bl-ue