core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon MetaMask

[name-controller] Fix prototype-polluting assignments

Open MajorLift opened this issue 2 years ago • 0 comments

Fix the following CodeQL security alerts:

  • https://github.com/MetaMask/core/security/code-scanning/4
  • https://github.com/MetaMask/core/security/code-scanning/5

Approach 1

Replace the flagged property assignments by returning an updated object in the enclosing this.update() call, or using Object.assign to mutate the state object.

Object.assign and spread operator syntax are both safe to use for this purpose as they only enumerate "own" properties of object literals.

For an example of this approach, see: https://github.com/MetaMask/core/pull/3963/files#diff-1eb134c9c5a9dd0a4e4838f719ba67723f61fdacd8bfc1a9acef96366b7578fbR207-R236

Approach 2

Validate that the dynamic string property in question does not evaluate to __proto__ before performing the assignment operation.

MajorLift avatar Feb 26 '24 18:02 MajorLift