fix(agent-script): prevent Object globals from mutating host prototypes#315
Open
kamilio wants to merge 1 commit into
Open
fix(agent-script): prevent Object globals from mutating host prototypes#315kamilio wants to merge 1 commit into
kamilio wants to merge 1 commit into
Conversation
![poe-code-agent[bot]](https://avatars.githubusercontent.com/in/2645587?s=60&v=4){kind=small}
Comment on lines
+115
to
+119
| if (Array.isArray(value)) { | ||
| return true; | ||
| } | ||
|
|
||
| return Object.getPrototypeOf(value) === Object.prototype; |
Contributor
There was a problem hiding this comment.
Object literals are created with Object.create(null) in interpreter.ts, so this now rejects ordinary script code like Object.assign({}, { ok: true }) and Object.freeze({}). I verified run('return Object.assign({}, { ok: true }).ok') now throws this TypeError. Please allow sandbox null-prototype objects while still blocking the host prototypes.
Suggested change
| if (Array.isArray(value)) { | |
| return true; | |
| } | |
| return Object.getPrototypeOf(value) === Object.prototype; | |
| if (Array.isArray(value)) { | |
| return value !== Array.prototype; | |
| } | |
| const prototype = Object.getPrototypeOf(value); | |
| return prototype === Object.prototype || (prototype === null && value !== Object.prototype); |
| }); | ||
|
|
||
|
|
||
| it("blocks assign and freeze on host prototype objects", async () => { |
Contributor
There was a problem hiding this comment.
Please add coverage for the sandbox object-literal/null-prototype path here too. The current test covers Object.prototype, but not {} from the interpreter, which is the regression path for Object.assign({}, source) and Object.freeze({}).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Object.prototype) via the newly exposedObject.assign/Object.freezeglobals, which cross the sandbox boundary and enable prototype pollution or process-wide DoS.Description
Object.freezeglobal through a guarded helperfreezeSandboxValueso freezing is only applied to approved sandbox-owned targets and is a no-op for other values.isAssignableSandboxTargetso only arrays or plain objects whose prototype isObject.prototype(and that are not sandbox closures/promises) are considered assignable.Object.assignsemantics but reject non-assignable targets with aTypeErrorto prevent writes to host prototype objects.Object.assign(Object.prototype, ...)is rejected andObject.freeze(Object.prototype)is a no-op that does not freeze the host prototype.Testing
npm run test:unit -- packages/agent-script/src/interp/globals/object-array.test.tsand all tests passed (5 passed).npm run lint:eslintandtsc -p tsconfig.build.json --noEmit) ran as part of the commit hook; lint produced warnings only and type check passed.Codex Task