From 4225d1b35b9a30868c8f50c778f25062077cd68b Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Tue, 25 Oct 2022 17:43:17 +0200 Subject: [PATCH 1/5] esm: protect ESM loader from prototype pollution In a previous commit, the loader implementation was modified to be protected against most prototype pollution, but was kept vulnerable to `Array.prototype` pollution. This commit fixes that, the tradeoff is that it modifies the `ESMLoader.prototype.import` return type from an `Array` to an array-like object. Refs: /~https://github.com/nodejs/node/pull/45044 --- doc/contributing/primordials.md | 37 +++++++++++----- lib/internal/modules/esm/loader.js | 4 +- lib/internal/modules/esm/module_job.js | 9 ++-- lib/internal/per_context/primordials.js | 44 +++++++++++++++++++ lib/internal/vm/module.js | 4 +- .../es-module/test-cjs-prototype-pollution.js | 5 --- .../test-eslint-avoid-prototype-pollution.js | 10 +++++ test/parallel/test-primordials-promise.js | 28 +++++++++--- .../eslint-rules/avoid-prototype-pollution.js | 7 +++ 9 files changed, 120 insertions(+), 28 deletions(-) diff --git a/doc/contributing/primordials.md b/doc/contributing/primordials.md index e240c0302c79eb..6761ad6dcb5327 100644 --- a/doc/contributing/primordials.md +++ b/doc/contributing/primordials.md @@ -363,20 +363,30 @@ Object.defineProperty(Object.prototype, Symbol.isConcatSpreadable, { // 1. Lookup @@iterator property on `array` (user-mutable if user-provided). // 2. Lookup @@iterator property on %Array.prototype% (user-mutable). // 3. Lookup `next` property on %ArrayIteratorPrototype% (user-mutable). +// 4. Lookup `then` property on %Array.Prototype% (user-mutable). +// 5. Lookup `then` property on %Object.Prototype% (user-mutable). PromiseAll([]); // unsafe -PromiseAll(new SafeArrayIterator([])); // safe +// 1. Lookup `then` property on %Array.Prototype% (user-mutable). +// 2. Lookup `then` property on %Object.Prototype% (user-mutable). +PromiseAll(new SafeArrayIterator([])); // still unsafe +SafePromiseAll([]); // still unsafe + +SafePromiseAllReturnVoid([]); // safe +SafePromiseAllReturnArrayLike([]); // safe const array = [promise]; const set = new SafeSet().add(promise); // When running one of these functions on a non-empty iterable, it will also: -// 4. Lookup `then` property on `promise` (user-mutable if user-provided). -// 5. Lookup `then` property on `%Promise.prototype%` (user-mutable). +// 1. Lookup `then` property on `promise` (user-mutable if user-provided). +// 2. Lookup `then` property on `%Promise.prototype%` (user-mutable). +// 3. Lookup `then` property on %Array.Prototype% (user-mutable). +// 4. Lookup `then` property on %Object.Prototype% (user-mutable). PromiseAll(new SafeArrayIterator(array)); // unsafe - PromiseAll(set); // unsafe -SafePromiseAll(array); // safe +SafePromiseAllReturnVoid(array); // safe +SafePromiseAllReturnArrayLike(array); // safe // Some key differences between `SafePromise[...]` and `Promise[...]` methods: @@ -385,11 +395,18 @@ SafePromiseAll(array); // safe SafePromiseAll(ArrayPrototypeMap(array, someFunction)); SafePromiseAll(array, someFunction); // Same as the above, but more efficient. -// 2. SafePromiseAll, SafePromiseAllSettled, SafePromiseAny, and SafePromiseRace -// only support arrays, not iterables. Use ArrayFrom to convert an iterable -// to an array. -SafePromiseAll(set); // ignores set content. -SafePromiseAll(ArrayFrom(set)); // safe +// 2. SafePromiseAll, SafePromiseAllSettled, SafePromiseAny, SafePromiseRace, +// SafePromiseAllReturnArrayLike, SafePromiseAllReturnVoid, and +// SafePromiseAllSettledReturnVoid only support arrays and array-like +// objects, not iterables. Use ArrayFrom to convert an iterable to an array. +SafePromiseAllReturnVoid(set); // ignores set content. +SafePromiseAllReturnVoid(ArrayFrom(set)); // works + +// 3. SafePromiseAllReturnArrayLike is safer than SafePromiseAll, however you +// should not use them when its return value is passed to the user as it can +// be surprising for them not to receive a genuine array. +SafePromiseAllReturnArrayLike(array).then((val) => Array.isArray(val)); // false +SafePromiseAll(array).then((val) => Array.isArray(val)); // true ``` diff --git a/lib/internal/modules/esm/loader.js b/lib/internal/modules/esm/loader.js index c4b69442ccff6b..0f23d48084abe8 100644 --- a/lib/internal/modules/esm/loader.js +++ b/lib/internal/modules/esm/loader.js @@ -14,7 +14,7 @@ const { ObjectDefineProperty, ObjectSetPrototypeOf, RegExpPrototypeExec, - SafePromiseAll, + SafePromiseAllReturnArrayLike, SafeWeakMap, StringPrototypeSlice, StringPrototypeToUpperCase, @@ -516,7 +516,7 @@ class ESMLoader { .then(({ module }) => module.getNamespace()); } - const namespaces = await SafePromiseAll(jobs); + const namespaces = await SafePromiseAllReturnArrayLike(jobs); if (!wasArr) { return namespaces[0]; } // We can skip the pairing below diff --git a/lib/internal/modules/esm/module_job.js b/lib/internal/modules/esm/module_job.js index 2f8f267ce1bb0b..33af5eaa6e4d8e 100644 --- a/lib/internal/modules/esm/module_job.js +++ b/lib/internal/modules/esm/module_job.js @@ -12,7 +12,8 @@ const { ReflectApply, RegExpPrototypeExec, RegExpPrototypeSymbolReplace, - SafePromiseAll, + SafePromiseAllReturnArrayLike, + SafePromiseAllReturnVoid, SafeSet, StringPrototypeIncludes, StringPrototypeSplit, @@ -80,9 +81,9 @@ class ModuleJob { }); if (promises !== undefined) - await SafePromiseAll(promises); + await SafePromiseAllReturnVoid(promises); - return SafePromiseAll(dependencyJobs); + return SafePromiseAllReturnArrayLike(dependencyJobs); }; // Promise for the list of all dependencyJobs. this.linked = link(); @@ -110,7 +111,7 @@ class ModuleJob { } jobsInGraph.add(moduleJob); const dependencyJobs = await moduleJob.linked; - return SafePromiseAll(dependencyJobs, addJobsToDependencyGraph); + return SafePromiseAllReturnArrayLike(dependencyJobs, addJobsToDependencyGraph); }; await addJobsToDependencyGraph(this); diff --git a/lib/internal/per_context/primordials.js b/lib/internal/per_context/primordials.js index a29d609ec8dbf4..809d04c06ecee3 100644 --- a/lib/internal/per_context/primordials.js +++ b/lib/internal/per_context/primordials.js @@ -477,6 +477,34 @@ primordials.SafePromiseAll = (promises, mapFn) => SafePromise.all(arrayToSafePromiseIterable(promises, mapFn)).then(a, b) ); +/** + * Should only be used for internal functions, this would produce similar + * results as `Promise.all` but without prototype pollution, and the return + * value is not a genuine Array but an array-like object. + * @param {Promise[]} promises + * @returns {Promise} + */ +primordials.SafePromiseAllReturnArrayLike = async (promises) => { + const { length } = promises; + const returnVal = { __proto__: null, length }; + for (let i = 0; i < length; i++) { + returnVal[i] = await promises[i]; + } + return returnVal; +}; + +/** + * Should only be used when we only care about waiting for all the promises to + * resolve, not what value they resolve to. + * @param {Promise[]} promises + * @returns {Promise} + */ +primordials.SafePromiseAllReturnVoid = async (promises) => { + for (let i = 0; i < promises.length; i++) { + await promises[i]; + } +}; + /** * @param {Promise[]} promises * @param {(v: Promise, k: number) => Promise} [mapFn] @@ -489,6 +517,22 @@ primordials.SafePromiseAllSettled = (promises, mapFn) => SafePromise.allSettled(arrayToSafePromiseIterable(promises, mapFn)).then(a, b) ); +/** + * Should only be used when we only care about waiting for all the promises to + * settle, not what value they resolve or reject to. + * @param {Promise[]} promises + * @returns {Promise} + */ +primordials.SafePromiseAllSettledReturnVoid = async (promises) => { + for (let i = 0; i < promises.length; i++) { + try { + await promises[i]; + } catch { + // In all settled, we can ignore errors. + } + } +}; + /** * @param {Promise[]} promises * @param {(v: Promise, k: number) => Promise} [mapFn] diff --git a/lib/internal/vm/module.js b/lib/internal/vm/module.js index fe72c16a97665d..7e0131c7db2872 100644 --- a/lib/internal/vm/module.js +++ b/lib/internal/vm/module.js @@ -11,7 +11,7 @@ const { ObjectGetPrototypeOf, ObjectSetPrototypeOf, ReflectApply, - SafePromiseAll, + SafePromiseAllReturnVoid, SafeWeakMap, Symbol, SymbolToStringTag, @@ -330,7 +330,7 @@ class SourceTextModule extends Module { try { if (promises !== undefined) { - await SafePromiseAll(promises); + await SafePromiseAllReturnVoid(promises); } } catch (e) { this.#error = e; diff --git a/test/es-module/test-cjs-prototype-pollution.js b/test/es-module/test-cjs-prototype-pollution.js index ea24407ee75c40..9f6291eff14d49 100644 --- a/test/es-module/test-cjs-prototype-pollution.js +++ b/test/es-module/test-cjs-prototype-pollution.js @@ -2,11 +2,6 @@ const { mustNotCall, mustCall } = require('../common'); -Object.defineProperties(Array.prototype, { - // %Promise.all% and %Promise.allSettled% are depending on the value of - // `%Array.prototype%.then`. - then: {}, -}); Object.defineProperties(Object.prototype, { then: { set: mustNotCall('set %Object.prototype%.then'), diff --git a/test/parallel/test-eslint-avoid-prototype-pollution.js b/test/parallel/test-eslint-avoid-prototype-pollution.js index 0a39dd489499e6..76eee4379b965d 100644 --- a/test/parallel/test-eslint-avoid-prototype-pollution.js +++ b/test/parallel/test-eslint-avoid-prototype-pollution.js @@ -63,6 +63,8 @@ new RuleTester({ 'new Proxy({}, someFactory())', 'new Proxy({}, { __proto__: null })', 'new Proxy({}, { __proto__: null, ...{} })', + 'async function name(){return await SafePromiseAll([])}', + 'async function name(){const val = await SafePromiseAll([])}', ], invalid: [ { @@ -273,6 +275,14 @@ new RuleTester({ code: 'PromiseAll([])', errors: [{ message: /\bSafePromiseAll\b/ }] }, + { + code: 'async function fn(){await SafePromiseAll([])}', + errors: [{ message: /\bSafePromiseAllReturnVoid\b/ }] + }, + { + code: 'async function fn(){await SafePromiseAllSettled([])}', + errors: [{ message: /\bSafePromiseAllSettledReturnVoid\b/ }] + }, { code: 'PromiseAllSettled([])', errors: [{ message: /\bSafePromiseAllSettled\b/ }] diff --git a/test/parallel/test-primordials-promise.js b/test/parallel/test-primordials-promise.js index ae9a381b1a90a6..042644334e10b7 100644 --- a/test/parallel/test-primordials-promise.js +++ b/test/parallel/test-primordials-promise.js @@ -7,7 +7,10 @@ const assert = require('assert'); const { PromisePrototypeThen, SafePromiseAll, + SafePromiseAllReturnArrayLike, + SafePromiseAllReturnVoid, SafePromiseAllSettled, + SafePromiseAllSettledReturnVoid, SafePromiseAny, SafePromisePrototypeFinally, SafePromiseRace, @@ -34,9 +37,11 @@ Object.defineProperties(Promise.prototype, { }, }); Object.defineProperties(Array.prototype, { - // %Promise.all% and %Promise.allSettled% are depending on the value of - // `%Array.prototype%.then`. - then: {}, + then: { + configurable: true, + set: common.mustNotCall('set %Array.prototype%.then'), + get: common.mustNotCall('get %Array.prototype%.then'), + }, }); Object.defineProperties(Object.prototype, { then: { @@ -48,11 +53,24 @@ Object.defineProperties(Object.prototype, { assertIsPromise(PromisePrototypeThen(test(), common.mustCall())); assertIsPromise(SafePromisePrototypeFinally(test(), common.mustCall())); -assertIsPromise(SafePromiseAll([test()])); -assertIsPromise(SafePromiseAllSettled([test()])); +assertIsPromise(SafePromiseAllReturnArrayLike([test()])); +assertIsPromise(SafePromiseAllReturnVoid([test()])); +assertIsPromise(SafePromiseAllSettledReturnVoid([test()])); assertIsPromise(SafePromiseAny([test()])); assertIsPromise(SafePromiseRace([test()])); +Object.defineProperties(Array.prototype, { + // %Promise.all% and %Promise.allSettled% are depending on the value of + // `%Array.prototype%.then`. + then: { + __proto__: undefined, + value: undefined, + }, +}); + +assertIsPromise(SafePromiseAll([test()])); +assertIsPromise(SafePromiseAllSettled([test()])); + async function test() { const catchFn = common.mustCall(); const finallyFn = common.mustCall(); diff --git a/tools/eslint-rules/avoid-prototype-pollution.js b/tools/eslint-rules/avoid-prototype-pollution.js index 343dbaf39d15e0..fdc43c259d9a5b 100644 --- a/tools/eslint-rules/avoid-prototype-pollution.js +++ b/tools/eslint-rules/avoid-prototype-pollution.js @@ -194,6 +194,13 @@ module.exports = { }); }, + [`ExpressionStatement>AwaitExpression>${CallExpression(/^(Safe)?PromiseAll(Settled)?$/)}`](node) { + context.report({ + node, + message: `Use ${node.callee.name}ReturnVoid`, + }); + }, + [CallExpression('PromisePrototypeCatch')](node) { context.report({ node, From d82537bec5128eba873dd4cb18cf7219529c1fca Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Tue, 25 Oct 2022 20:14:48 +0200 Subject: [PATCH 2/5] fixup! esm: protect ESM loader from prototype pollution --- doc/contributing/primordials.md | 10 ++-- lib/internal/per_context/primordials.js | 50 +++++++++++++------ .../test-esm-prototype-pollution.mjs | 5 -- test/parallel/test-primordials-promise.js | 42 ++++++++++++++++ 4 files changed, 83 insertions(+), 24 deletions(-) diff --git a/doc/contributing/primordials.md b/doc/contributing/primordials.md index 6761ad6dcb5327..48f260559f0c39 100644 --- a/doc/contributing/primordials.md +++ b/doc/contributing/primordials.md @@ -390,8 +390,10 @@ SafePromiseAllReturnArrayLike(array); // safe // Some key differences between `SafePromise[...]` and `Promise[...]` methods: -// 1. SafePromiseAll, SafePromiseAllSettled, SafePromiseAny, and SafePromiseRace -// support passing a mapperFunction as second argument. +// 1. SafePromiseAll, SafePromiseAllSettled, SafePromiseAny, SafePromiseRace, +// SafePromiseAllReturnArrayLike, SafePromiseAllReturnVoid, and +// SafePromiseAllSettledReturnVoid support passing a mapperFunction as second +// argument. SafePromiseAll(ArrayPrototypeMap(array, someFunction)); SafePromiseAll(array, someFunction); // Same as the above, but more efficient. @@ -405,8 +407,8 @@ SafePromiseAllReturnVoid(ArrayFrom(set)); // works // 3. SafePromiseAllReturnArrayLike is safer than SafePromiseAll, however you // should not use them when its return value is passed to the user as it can // be surprising for them not to receive a genuine array. -SafePromiseAllReturnArrayLike(array).then((val) => Array.isArray(val)); // false -SafePromiseAll(array).then((val) => Array.isArray(val)); // true +SafePromiseAllReturnArrayLike(array).then((val) => val instanceof Array); // false +SafePromiseAll(array).then((val) => val instanceof Array); // true ``` diff --git a/lib/internal/per_context/primordials.js b/lib/internal/per_context/primordials.js index 809d04c06ecee3..ea3284c64ce5aa 100644 --- a/lib/internal/per_context/primordials.js +++ b/lib/internal/per_context/primordials.js @@ -261,6 +261,7 @@ function copyPrototype(src, dest, prefix) { /* eslint-enable node-core/prefer-primordials */ const { + Array: ArrayConstructor, ArrayPrototypeForEach, ArrayPrototypeMap, FinalizationRegistry, @@ -272,6 +273,7 @@ const { ObjectSetPrototypeOf, Promise, PromisePrototypeThen, + PromiseResolve, ReflectApply, ReflectConstruct, ReflectSet, @@ -482,28 +484,45 @@ primordials.SafePromiseAll = (promises, mapFn) => * results as `Promise.all` but without prototype pollution, and the return * value is not a genuine Array but an array-like object. * @param {Promise[]} promises + * @param {(v: Promise, k: number) => Promise} [mapFn] * @returns {Promise} */ -primordials.SafePromiseAllReturnArrayLike = async (promises) => { - const { length } = promises; - const returnVal = { __proto__: null, length }; - for (let i = 0; i < length; i++) { - returnVal[i] = await promises[i]; - } - return returnVal; -}; +primordials.SafePromiseAllReturnArrayLike = (promises, mapFn) => + new Promise((resolve, reject) => { + const { length } = promises; + + const returnVal = ArrayConstructor(length); + ObjectSetPrototypeOf(returnVal, null); + + let pendingPromises = length; + if (pendingPromises === 0) resolve(returnVal); + for (let i = 0; i < length; i++) { + const promise = mapFn != null ? mapFn(promises[i], i) : promises[i]; + PromisePrototypeThen(PromiseResolve(promise), (result) => { + returnVal[i] = result; + if (--pendingPromises === 0) resolve(returnVal); + }, reject); + } + }); /** * Should only be used when we only care about waiting for all the promises to * resolve, not what value they resolve to. * @param {Promise[]} promises + * @param {(v: Promise, k: number) => Promise} [mapFn] * @returns {Promise} */ -primordials.SafePromiseAllReturnVoid = async (promises) => { - for (let i = 0; i < promises.length; i++) { - await promises[i]; - } -}; +primordials.SafePromiseAllReturnVoid = (promises, mapFn) => + new Promise((resolve, reject) => { + let pendingPromises = promises.length; + if (pendingPromises === 0) resolve(); + for (let i = 0; i < promises.length; i++) { + const promise = mapFn != null ? mapFn(promises[i], i) : promises[i]; + PromisePrototypeThen(PromiseResolve(promise), () => { + if (--pendingPromises === 0) resolve(); + }, reject); + } + }); /** * @param {Promise[]} promises @@ -521,12 +540,13 @@ primordials.SafePromiseAllSettled = (promises, mapFn) => * Should only be used when we only care about waiting for all the promises to * settle, not what value they resolve or reject to. * @param {Promise[]} promises + * @param {(v: Promise, k: number) => Promise} [mapFn] * @returns {Promise} */ -primordials.SafePromiseAllSettledReturnVoid = async (promises) => { +primordials.SafePromiseAllSettledReturnVoid = async (promises, mapFn) => { for (let i = 0; i < promises.length; i++) { try { - await promises[i]; + await (mapFn != null ? mapFn(promises[i], i) : promises[i]); } catch { // In all settled, we can ignore errors. } diff --git a/test/es-module/test-esm-prototype-pollution.mjs b/test/es-module/test-esm-prototype-pollution.mjs index 3a311394adc224..6ba1fd8d64025f 100644 --- a/test/es-module/test-esm-prototype-pollution.mjs +++ b/test/es-module/test-esm-prototype-pollution.mjs @@ -1,10 +1,5 @@ import { mustNotCall, mustCall } from '../common/index.mjs'; -Object.defineProperties(Array.prototype, { - // %Promise.all% and %Promise.allSettled% are depending on the value of - // `%Array.prototype%.then`. - then: {}, -}); Object.defineProperties(Object.prototype, { then: { set: mustNotCall('set %Object.prototype%.then'), diff --git a/test/parallel/test-primordials-promise.js b/test/parallel/test-primordials-promise.js index 042644334e10b7..58a65d73bf6618 100644 --- a/test/parallel/test-primordials-promise.js +++ b/test/parallel/test-primordials-promise.js @@ -59,6 +59,44 @@ assertIsPromise(SafePromiseAllSettledReturnVoid([test()])); assertIsPromise(SafePromiseAny([test()])); assertIsPromise(SafePromiseRace([test()])); +assertIsPromise(SafePromiseAllReturnArrayLike([])); +assertIsPromise(SafePromiseAllReturnVoid([])); +assertIsPromise(SafePromiseAllSettledReturnVoid([])); + +{ + const val1 = Symbol(); + const val2 = Symbol(); + PromisePrototypeThen( + SafePromiseAllReturnArrayLike([Promise.resolve(val1), { then(resolve) { resolve(val2); } }]), + common.mustCall((val) => { + assert.strictEqual(Array.isArray(val), true); + const expected = [val1, val2]; + assert.deepStrictEqual(val.length, expected.length); + assert.strictEqual(val[0], expected[0]); + assert.strictEqual(val[1], expected[1]); + }) + ); +} + +{ + // Never settling promises should not block the resulting promise to be rejected: + const error = new Error(); + PromisePrototypeThen( + SafePromiseAllReturnArrayLike([new Promise(() => {}), Promise.reject(error)]), + common.mustNotCall('Should have rejected'), + common.mustCall((err) => { + assert.strictEqual(err, error); + }) + ); + PromisePrototypeThen( + SafePromiseAllReturnVoid([new Promise(() => {}), Promise.reject(error)]), + common.mustNotCall('Should have rejected'), + common.mustCall((err) => { + assert.strictEqual(err, error); + }) + ); +} + Object.defineProperties(Array.prototype, { // %Promise.all% and %Promise.allSettled% are depending on the value of // `%Array.prototype%.then`. @@ -71,6 +109,9 @@ Object.defineProperties(Array.prototype, { assertIsPromise(SafePromiseAll([test()])); assertIsPromise(SafePromiseAllSettled([test()])); +assertIsPromise(SafePromiseAll([])); +assertIsPromise(SafePromiseAllSettled([])); + async function test() { const catchFn = common.mustCall(); const finallyFn = common.mustCall(); @@ -88,4 +129,5 @@ function assertIsPromise(promise) { // Make sure the returned promise is a genuine %Promise% object and not a // subclass instance. assert.strictEqual(Object.getPrototypeOf(promise), Promise.prototype); + PromisePrototypeThen(promise, common.mustCall()); } From 00f3c451ce61ca7cfe25e56bf081f8c6dacce8b0 Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Tue, 25 Oct 2022 20:30:54 +0200 Subject: [PATCH 3/5] fixup! fixup! esm: protect ESM loader from prototype pollution --- lib/internal/modules/esm/module_job.js | 2 +- lib/internal/per_context/primordials.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/internal/modules/esm/module_job.js b/lib/internal/modules/esm/module_job.js index 33af5eaa6e4d8e..ddf574b07a8e8a 100644 --- a/lib/internal/modules/esm/module_job.js +++ b/lib/internal/modules/esm/module_job.js @@ -111,7 +111,7 @@ class ModuleJob { } jobsInGraph.add(moduleJob); const dependencyJobs = await moduleJob.linked; - return SafePromiseAllReturnArrayLike(dependencyJobs, addJobsToDependencyGraph); + return SafePromiseAllReturnVoid(dependencyJobs, addJobsToDependencyGraph); }; await addJobsToDependencyGraph(this); diff --git a/lib/internal/per_context/primordials.js b/lib/internal/per_context/primordials.js index ea3284c64ce5aa..8410d1d77545ae 100644 --- a/lib/internal/per_context/primordials.js +++ b/lib/internal/per_context/primordials.js @@ -493,9 +493,9 @@ primordials.SafePromiseAllReturnArrayLike = (promises, mapFn) => const returnVal = ArrayConstructor(length); ObjectSetPrototypeOf(returnVal, null); + if (length === 0) resolve(returnVal); let pendingPromises = length; - if (pendingPromises === 0) resolve(returnVal); for (let i = 0; i < length; i++) { const promise = mapFn != null ? mapFn(promises[i], i) : promises[i]; PromisePrototypeThen(PromiseResolve(promise), (result) => { From f93851d1c35e6a68cfc600ca9fa4b1635ec8dab3 Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Tue, 25 Oct 2022 21:02:25 +0200 Subject: [PATCH 4/5] fixup! esm: protect ESM loader from prototype pollution --- lib/internal/per_context/primordials.js | 43 ++++++++++++++----------- 1 file changed, 25 insertions(+), 18 deletions(-) diff --git a/lib/internal/per_context/primordials.js b/lib/internal/per_context/primordials.js index 8410d1d77545ae..3a7983c76e8b0a 100644 --- a/lib/internal/per_context/primordials.js +++ b/lib/internal/per_context/primordials.js @@ -468,9 +468,10 @@ const arrayToSafePromiseIterable = (promises, mapFn) => ); /** - * @param {Promise[]} promises - * @param {(v: Promise, k: number) => Promise} [mapFn] - * @returns {Promise} + * @template T,U + * @param {Array>} promises + * @param {(v: T|PromiseLike, k: number) => U|PromiseLike} [mapFn] + * @returns {Promise[]>} */ primordials.SafePromiseAll = (promises, mapFn) => // Wrapping on a new Promise is necessary to not expose the SafePromise @@ -483,9 +484,10 @@ primordials.SafePromiseAll = (promises, mapFn) => * Should only be used for internal functions, this would produce similar * results as `Promise.all` but without prototype pollution, and the return * value is not a genuine Array but an array-like object. - * @param {Promise[]} promises - * @param {(v: Promise, k: number) => Promise} [mapFn] - * @returns {Promise} + * @template T,U + * @param {ArrayLike>} promises + * @param {(v: T|PromiseLike, k: number) => U|PromiseLike} [mapFn] + * @returns {Promise>>} */ primordials.SafePromiseAllReturnArrayLike = (promises, mapFn) => new Promise((resolve, reject) => { @@ -508,8 +510,9 @@ primordials.SafePromiseAllReturnArrayLike = (promises, mapFn) => /** * Should only be used when we only care about waiting for all the promises to * resolve, not what value they resolve to. - * @param {Promise[]} promises - * @param {(v: Promise, k: number) => Promise} [mapFn] + * @template T,U + * @param {ArrayLike>} promises + * @param {(v: T|PromiseLike, k: number) => U|PromiseLike} [mapFn] * @returns {Promise} */ primordials.SafePromiseAllReturnVoid = (promises, mapFn) => @@ -525,8 +528,9 @@ primordials.SafePromiseAllReturnVoid = (promises, mapFn) => }); /** - * @param {Promise[]} promises - * @param {(v: Promise, k: number) => Promise} [mapFn] + * @template T,U + * @param {Array>} promises + * @param {(v: T|PromiseLike, k: number) => U|PromiseLike} [mapFn] * @returns {Promise[]>} */ primordials.SafePromiseAllSettled = (promises, mapFn) => @@ -539,8 +543,9 @@ primordials.SafePromiseAllSettled = (promises, mapFn) => /** * Should only be used when we only care about waiting for all the promises to * settle, not what value they resolve or reject to. - * @param {Promise[]} promises - * @param {(v: Promise, k: number) => Promise} [mapFn] + * @template T,U + * @param {Array>} promises + * @param {(v: T|PromiseLike, k: number) => U|PromiseLike} [mapFn] * @returns {Promise} */ primordials.SafePromiseAllSettledReturnVoid = async (promises, mapFn) => { @@ -554,9 +559,10 @@ primordials.SafePromiseAllSettledReturnVoid = async (promises, mapFn) => { }; /** - * @param {Promise[]} promises - * @param {(v: Promise, k: number) => Promise} [mapFn] - * @returns {Promise} + * @template T,U + * @param {Array>} promises + * @param {(v: T|PromiseLike, k: number) => U|PromiseLike} [mapFn] + * @returns {Promise>} */ primordials.SafePromiseAny = (promises, mapFn) => // Wrapping on a new Promise is necessary to not expose the SafePromise @@ -566,9 +572,10 @@ primordials.SafePromiseAny = (promises, mapFn) => ); /** - * @param {Promise[]} promises - * @param {(v: Promise, k: number) => Promise} [mapFn] - * @returns {Promise} + * @template T,U + * @param {Array>} promises + * @param {(v: T|PromiseLike, k: number) => U|PromiseLike} [mapFn] + * @returns {Promise>} */ primordials.SafePromiseRace = (promises, mapFn) => // Wrapping on a new Promise is necessary to not expose the SafePromise From ae20149e3220b367c5bb0434094f6abf2e5fba35 Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Wed, 26 Oct 2022 13:08:31 +0200 Subject: [PATCH 5/5] Update lib/internal/per_context/primordials.js --- lib/internal/per_context/primordials.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/internal/per_context/primordials.js b/lib/internal/per_context/primordials.js index 3a7983c76e8b0a..bc903d02849e41 100644 --- a/lib/internal/per_context/primordials.js +++ b/lib/internal/per_context/primordials.js @@ -544,7 +544,7 @@ primordials.SafePromiseAllSettled = (promises, mapFn) => * Should only be used when we only care about waiting for all the promises to * settle, not what value they resolve or reject to. * @template T,U - * @param {Array>} promises + * @param {ArrayLike>} promises * @param {(v: T|PromiseLike, k: number) => U|PromiseLike} [mapFn] * @returns {Promise} */