Let's make a plan for bad getters and toString() methods #12372
Comments
|
/cc @tniessen |
|
I’m good with the approach that e.g. #12371 is taking – handle everything properly in the C++ layer, forwarding possible exceptions to JS if they are encountered. |
addaleax
added
the
c++
|
Applied the "security" label as it may be concerned by this issue in, at least, some cases; please remove it if it's not relevant. |
|
I think so far all collaborators have indicated in the discussions here that those issues can’t reasonably be considered security issues. |
|
One (rather extreme) option is to:
|
|
I personally consider it a non-issue. I'd be more amenable if it was something you hit by accident but so far it's all been people playing at security researcher. |
|
I agree with @addaleax: I don't see a problem fixing it ad hoc, this does not appear to be a design problem. None of the reported issues I came across pose any real-world danger. |
|
@tniessen By the way, your first comment (the one you deleted) about gradually updating everything to |
|
Thanks for the feedback. I'll close the issue. Feel free to continue the discussion. |
Version: master
Platform: all
Subsystem: src
It seems like these types of issues get opened pretty frequently. Node accepts an object as input, and one of the properties on that object is a getter that throws an error. Similar problems exist with
toString()and others. It's usually reported as a security issue that bypasses JavaScript validation (when we have some in place) and crashes in the binding layer.I tried to fix one such issue and was told that instead of fixing ad hoc, we should come up with a plan. I agree with that idea. So, let's come up with a plan. Should we ignore the problem? Ensure that getters and other potential problematic methods are corrected in the JS layer? Something else?
The text was updated successfully, but these errors were encountered: