Skip to content

Security: Potential Prototype Pollution via Object Assignment#1552

Open
tomaioo wants to merge 1 commit into
postmanlabs:developfrom
tomaioo:fix/security/potential-prototype-pollution-via-object
Open

Security: Potential Prototype Pollution via Object Assignment#1552
tomaioo wants to merge 1 commit into
postmanlabs:developfrom
tomaioo:fix/security/potential-prototype-pollution-via-object

Conversation

@tomaioo

@tomaioo tomaioo commented Jul 2, 2026

Copy link
Copy Markdown

Summary

Security: Potential Prototype Pollution via Object Assignment

Problem

Severity: Low | File: lib/runner/timings.js:L32

In lib/runner/timings.js, the constructor uses for (var prop in records) without checking hasOwnProperty, which could lead to prototype pollution if iterate over inherited properties. While the impact is limited in this specific context, this pattern can be dangerous if records comes from user input.

Solution

Add hasOwnProperty check in the for-in loop, or use Object.keys(records).forEach() instead. Consider also validating that records is a plain object before iterating.

Changes

  • lib/runner/timings.js (modified)

In `lib/runner/timings.js`, the constructor uses `for (var prop in records)` without checking `hasOwnProperty`, which could lead to prototype pollution if iterate over inherited properties. While the impact is limited in this specific context, this pattern can be dangerous if `records` comes from user input.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant