Object.safeAssign

Isiah Meadows contact at isiahmeadows.com
Fri May 1 16:12:58 UTC 2020


Missed the list. Also, it apparently does trigger setters. Crossed it up
with spread properties (which don't).

On Fri, May 1, 2020 at 06:28 Isiah Meadows <contact at isiahmeadows.com> wrote:

> I thought `Object.assign`already used the `Object.keys` +
> `Object.defineProperty` algorithms under the hood and thus were immune to
> this. Am I misremembering or misunderstanding?
>
> On Fri, May 1, 2020 at 05:51 Mike Sherov <mike.sherov at gmail.com> wrote:
>
>> Given the increased prevalence of prototype pollution vulnerabilities in
>> many popular javascript libraries, is it time to reconsider the fact that
>> Object.assign allows for prototype pollution by default?
>>
>> I see two options:
>> 1. Change Object.assign to disallow PP by default. Look at real world
>> usages and see what would break if prototype pollution was disabled? Almost
>> certainly this is not a viable option, but wanted to raise it here just in
>> case there was appetite to do so.
>> 2. Introduce something like Object.safeAssign (bikeshedding aside), that
>> is the same as Object.assign except is safe from prototype pollution.
>>
>> The reason I think this is important is that the common advice of
>> freezing Object.prototype is something only the end user can do, and not
>> something a library can do.
>>
>> Yes, a library can also know to do its own PP fixes, but having a reified
>> way to avoid PP allows us to have a secure-by-default method in the
>> language.
>>
>> Thoughts?
>>
>> Mike Sherov
>> _______________________________________________
>> es-discuss mailing list
>> es-discuss at mozilla.org
>> https://mail.mozilla.org/listinfo/es-discuss
>>
> --
> -----
>
> Isiah Meadows
> contact at isiahmeadows.com
> www.isiahmeadows.com
>
-- 
-----

Isiah Meadows
contact at isiahmeadows.com
www.isiahmeadows.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20200501/9942bdcb/attachment.html>


More information about the es-discuss mailing list