chore: prefer frozen objects with null prototype as dictionary objects

mongodb-js · Feb 20, 2024 · 927d137 · 927d137
1 parent f205084
commit 927d137
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 26 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/check.ts b/src/check.ts
@@ -56,7 +56,7 @@ class Checker {
   checkSafeExpression = (node: Node): boolean => {
     switch (node.type) {
       case 'Identifier':
-        return GLOBALS.hasOwnProperty(node.name);
+        return Object.prototype.hasOwnProperty.call(GLOBALS, node.name);
       case 'Literal':
         return true;
       case 'ArrayExpression':

diff --git a/src/eval.ts b/src/eval.ts
@@ -116,7 +116,7 @@ const functionExpression = (
 const walk = (node: Node): any => {
   switch (node.type) {
     case 'Identifier':
-      if (GLOBALS.hasOwnProperty(node.name)) {
+      if (Object.prototype.hasOwnProperty.call(GLOBALS, node.name)) {
         return GLOBALS[node.name];
       }
       throw new Error(`${node.name} is not a valid Identifier`);
@@ -133,15 +133,15 @@ const walk = (node: Node): any => {
     case 'NewExpression':
       return memberExpression(node, true);
     case 'ObjectExpression':
-      const obj: { [key: string]: any } = {};
+      const obj: { [key: string]: any } = Object.create(null);
       node.properties.forEach(property => {
         const key =
           property.key.type === 'Identifier'
             ? property.key.name
             : walk(property.key);
         obj[key] = walk(property.value);
       });
-      return obj;
+      return { ...obj };
     case 'FunctionExpression':
     case 'ArrowFunctionExpression':
       return functionExpression(node);

diff --git a/src/scope.ts b/src/scope.ts
@@ -1,5 +1,10 @@
 import * as bson from 'bson';
 
+// Returns the same object but frozen and with a null prototype.
+function lookupMap<T extends {}>(input: T): Readonly<T> {
+  return Object.freeze(Object.create(null, Object.getOwnPropertyDescriptors(input)));
+}
+
 function NumberLong(v: any) {
   if (typeof v === 'string') {
     return bson.Long.fromString(v);
@@ -8,25 +13,25 @@ function NumberLong(v: any) {
   }
 }
 
-const SCOPE_CALL: { [x: string]: Function } = {
+const SCOPE_CALL: { [x: string]: Function } = lookupMap({
   Date: function(...args: any[]) {
     // casting our arguments as an empty array because we don't know
     // the length of our arguments, and should allow users to pass what
     // they want as date arguments
     return Date(...(args as []));
   },
-};
+});
 
-const SCOPE_NEW: { [x: string]: Function } = {
+const SCOPE_NEW: { [x: string]: Function } = lookupMap({
   Date: function(...args: any[]) {
     // casting our arguments as an empty array because we don't know
     // the length of our arguments, and should allow users to pass what
     // they want as date arguments
     return new Date(...(args as []));
   },
-};
+});
 
-const SCOPE_ANY: { [x: string]: Function } = {
+const SCOPE_ANY: { [x: string]: Function } = lookupMap({
   RegExp: RegExp,
   Binary: function(buffer: any, subType: any) {
     return new bson.Binary(buffer, subType);
@@ -102,9 +107,9 @@ const SCOPE_ANY: { [x: string]: Function } = {
     // they want as date arguments
     return new Date(...(args as []));
   },
-};
+});
 
-export const GLOBALS: { [x: string]: any } = Object.freeze({
+export const GLOBALS: { [x: string]: any } = lookupMap({
   Infinity: Infinity,
   NaN: NaN,
   undefined: undefined,
@@ -125,10 +130,10 @@ type ClassExpressions = {
   };
 };
 
-const ALLOWED_CLASS_EXPRESSIONS: ClassExpressions = {
-  Math: {
+const ALLOWED_CLASS_EXPRESSIONS: ClassExpressions = lookupMap({
+  Math: lookupMap({
     class: Math,
-    allowedMethods: {
+    allowedMethods: lookupMap({
       abs: true,
       acos: true,
       acosh: true,
@@ -163,11 +168,11 @@ const ALLOWED_CLASS_EXPRESSIONS: ClassExpressions = {
       tan: true,
       tanh: true,
       trunc: true,
-    },
-  },
-  Date: {
+    }),
+  }),
+  Date: lookupMap({
     class: Date,
-    allowedMethods: {
+    allowedMethods: lookupMap({
       getDate: true,
       getDay: true,
       getFullYear: true,
@@ -205,13 +210,13 @@ const ALLOWED_CLASS_EXPRESSIONS: ClassExpressions = {
       setUTCSeconds: true,
       setYear: true,
       toISOString: true,
-    },
-  },
-  ISODate: {
+    }),
+  }),
+  ISODate: lookupMap({
     class: Date,
     allowedMethods: 'Date',
-  },
-};
+  }),
+});
 
 export const GLOBAL_FUNCTIONS = Object.freeze([
   ...Object.keys(SCOPE_ANY),

diff --git a/test/index.spec.ts b/test/index.spec.ts
@@ -156,6 +156,15 @@ it('should not allow calling functions that do not exist', function() {
   expect(parse('{ date: require("") }')).toEqual('');
 });
 
+for (const mode of [ParseMode.Extended, ParseMode.Strict, ParseMode.Loose]) {
+  it('should not allow calling functions that only exist as Object.prototype properties', function() {
+    expect(parse('{ date: Date.constructor("") }', {mode})).toEqual('');
+    expect(parse('{ date: Date.hasOwnProperty("") }', {mode})).toEqual('');
+    expect(parse('{ date: Date.__proto__("") }', {mode})).toEqual('');
+    expect(parse('{ date: Code({ toString: Date.constructor("throw null;") }) }', {mode})).toEqual('');
+  });
+}
+
 describe('Function calls', function() {
   const options: Partial<Options> = {
     mode: ParseMode.Strict,