ljharb at gmail.com
Fri May 1 16:24:43 UTC 2020
I'm confused about that as well; there were a spate of CVEs about it a year
or two ago (2 or 3 of my libraries were "affected"), but just like the
minimist/mkdirp ones, they were only actually vulnerabilities for a
minority of the use cases. Have there been any recent vulnerabilities
you're aware of?
On Fri, May 1, 2020 at 9:22 AM Bob Myers <rtm at gol.com> wrote:
> Can you explain or support your assertion of "increased prevalence"?
> On Fri, May 1, 2020, 05:51 Mike Sherov <mike.sherov at gmail.com> wrote:
>> Given the increased prevalence of prototype pollution vulnerabilities in
>> Object.assign allows for prototype pollution by default?
>> I see two options:
>> 1. Change Object.assign to disallow PP by default. Look at real world
>> usages and see what would break if prototype pollution was disabled? Almost
>> certainly this is not a viable option, but wanted to raise it here just in
>> case there was appetite to do so.
>> 2. Introduce something like Object.safeAssign (bikeshedding aside), that
>> is the same as Object.assign except is safe from prototype pollution.
>> The reason I think this is important is that the common advice of
>> freezing Object.prototype is something only the end user can do, and not
>> something a library can do.
>> Yes, a library can also know to do its own PP fixes, but having a reified
>> way to avoid PP allows us to have a secure-by-default method in the
>> Mike Sherov
>> es-discuss mailing list
>> es-discuss at mozilla.org
> es-discuss mailing list
> es-discuss at mozilla.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss