core
core copied to clipboard
MetaMask
Fix prototype-polluting assignments
Explanation
Fixes prototype-polluting assignments by validating that dynamic-string property keys do not evaluate to __proto__, constructor, or prototype at runtime.
Defines isSafeDynamicKey validator and PROTOTYPE_POLLUTION_BLOCKLIST constant in @metamask/controller-utils.
References
- Closes https://github.com/MetaMask/core/issues/3981
- Closes https://github.com/MetaMask/core/issues/3982
Changelog
N/A
Checklist
- [x] I've updated the test suite for new or updated code as appropriate
- [x] I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
- [x] I've highlighted breaking changes using the "BREAKING" category above as appropriate
How does this relate to SES? If the polluiton is on intrinsic Object.prototype, lockdown would prevent it.
If not, can we harden the objects in question? __proto__ is not the only way to pollute an object.
This work was motivated by our new security scanner, which highlighted this problem. I don't think the prototype pollution problem addressed here affects applications using lockdown.
No dependency changes detected. Learn more about Socket for GitHub ↗︎
👍 No dependency changes detected in pull request
![socket-security[bot] avatar](https://avatars.githubusercontent.com/in/156372?v=4 "Published by a pub.dev verified publisher"){kind=small}
@SocketSecurity ignore npm/[email protected]
New maintainer is a member of the vscode team and maintainer of 96 npm packages, many of them under the @microsoft/ namespace.
@SocketSecurity ignore npm/@lavamoat/[email protected]
Internal package and maintainer.