core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon MetaMask

[address-book-controller, ens-controller] Fix prototype-polluting delete operations

Open MajorLift opened this issue 2 years ago • 0 comments

Fix the following CodeQL security alerts:

  • https://github.com/MetaMask/core/security/code-scanning/2
  • https://github.com/MetaMask/core/security/code-scanning/3

Approach 1

Replace the flagged property assignments by returning an updated object in the enclosing this.update() call, or mutating the state object without using the delete keyword.

Object.assign and spread operator syntax are both safe to use for this purpose as they only enumerate "own" properties of object literals.

For an example of this approach, see: https://github.com/MetaMask/core/pull/3963/files#diff-1eb134c9c5a9dd0a4e4838f719ba67723f61fdacd8bfc1a9acef96366b7578fbR207-R236

Approach 2

Validate that the dynamic string property in question does not evaluate to __proto__ before performing the assignment operation.

MajorLift avatar Feb 26 '24 18:02 MajorLift