external-adapters-js icon indicating copy to clipboard operation
external-adapters-js copied to clipboard
verified publisher icon smartcontractkit

fix: Prototype-polluting assignment

Open odaysec opened this issue 9 months ago • 2 comments

Ticket 🎟️#3705

To fix the prototype pollution vulnerability, we should ensure that the keys used in the combineOverrides method cannot be used to modify the Object.prototype. One effective way to achieve this is by using a Map object instead of a plain object for combinedOverrides. This will prevent any prototype pollution since Map does not have the same prototype properties as plain objects.

Quality Assurance

  • [x] If a new adapter was made, or an existing one was modified so that its environment variables have changed, update the relevant infra-k8s configuration file.
  • [ ] If a new adapter was made, or an existing one was modified so that its environment variables have changed, update the relevant adapter-secrets configuration file or update the soak testing blacklist.
  • [ ] If a new adapter was made, or a new endpoint was added, update the test-payload.json file with relevant requests.
  • [x] The branch naming follows git flow (feature/x, chore/x, release/x, hotfix/x, fix/x) or is created from Jira.
  • [ ] This is related to a maximum of one Jira story or GitHub issue.
  • [ ] Types are safe (avoid TypeScript/TSLint features like any and disable, instead use more specific types).
  • [x] All code changes have 100% unit and integration test coverage. If testing is not applicable or too difficult to justify doing, the reasoning should be documented explicitly in the PR.

odaysec avatar Feb 28 '25 06:02 odaysec

⚠️ No Changeset found

Latest commit: 09a328cc467e9a581eaa53c756a9fb525963d224

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

changeset-bot[bot] avatar Feb 28 '25 06:02 changeset-bot[bot]

Please run yarn changeset

mxiao-cll avatar Feb 28 '25 15:02 mxiao-cll