A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from https://github.com/nodejs/node/commit/057bd44f9f below:

fix incomplete prototype pollution hardening · nodejs/node@057bd44 · GitHub

File tree Expand file treeCollapse file tree 2 files changed

+34

-1

lines changed

Filter options

Expand file treeCollapse file tree 2 files changed

+34

-1

lines changed Original file line number Diff line number Diff line change

@@ -568,6 +568,7 @@ function normalizeSpawnArguments(file, args, options) {

 568 568

else

 569 569

validateObject(options, 'options');

 570 570 571 +

options = { __proto__: null, ...options };

 571 572

let cwd = options.cwd;

 572 573 573 574

// Validate the cwd, if present.

 Original file line number Diff line number Diff line change

@@ -1,7 +1,7 @@

 1 1

import * as common from '../common/index.mjs';

 2 2

import * as fixtures from '../common/fixtures.mjs';

 3 3

import { EOL } from 'node:os';

 4 -

import { strictEqual } from 'node:assert';

 4 +

import { strictEqual, notStrictEqual, throws } from 'node:assert';

 5 5

import cp from 'node:child_process';

 6 6 7 7

// TODO(LiviaMedeiros): test on different platforms

@@ -57,3 +57,35 @@ for (const tamperedUID of [0, 1, 999, 1000, 0n, 'gwak']) {

 57 57 58 58

delete Object.prototype.execPath;

 59 59

}

 60 + 61 +

for (const shellCommandArgument of ['-L && echo "tampered"']) {

 62 +

Object.prototype.shell = true;

 63 +

const cmd = 'pwd';

 64 +

let cmdExitCode = '';

 65 + 66 +

const program = cp.spawn(cmd, [shellCommandArgument], { cwd: expectedCWD });

 67 +

program.stderr.on('data', common.mustCall());

 68 +

program.stdout.on('data', common.mustNotCall());

 69 + 70 +

program.on('exit', common.mustCall((code) => {

 71 +

notStrictEqual(code, 0);

 72 +

}));

 73 + 74 +

cp.execFile(cmd, [shellCommandArgument], { cwd: expectedCWD },

 75 +

common.mustCall((err) => {

 76 +

notStrictEqual(err.code, 0);

 77 +

})

 78 +

);

 79 + 80 +

throws(() => {

 81 +

cp.execFileSync(cmd, [shellCommandArgument], { cwd: expectedCWD });

 82 +

}, (e) => {

 83 +

notStrictEqual(e.status, 0);

 84 +

return true;

 85 +

});

 86 + 87 +

cmdExitCode = cp.spawnSync(cmd, [shellCommandArgument], { cwd: expectedCWD }).status;

 88 +

notStrictEqual(cmdExitCode, 0);

 89 + 90 +

delete Object.prototype.shell;

 91 +

}

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4