Mike Sherov mike.sherov at gmail.com
Fri May 1 12:50:58 UTC 2020

Given the increased prevalence of prototype pollution vulnerabilities in many popular javascript libraries, is it time to reconsider the fact that Object.assign allows for prototype pollution by default?

I see two options:
1. Change Object.assign to disallow PP by default. Look at real world usages and see what would break if prototype pollution was disabled? Almost certainly this is not a viable option, but wanted to raise it here just in case there was appetite to do so.
2. Introduce something like Object.safeAssign (bikeshedding aside), that is the same as Object.assign except is safe from prototype pollution.

The reason I think this is important is that the common advice of freezing Object.prototype is something only the end user can do, and not something a library can do. 

Yes, a library can also know to do its own PP fixes, but having a reified way to avoid PP allows us to have a secure-by-default method in the language.


Mike Sherov

More information about the es-discuss mailing list