-
Notifications
You must be signed in to change notification settings - Fork 29.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
node: warn for Object.prototype.__* accessors common in security warnings #39824
base: main
Are you sure you want to change the base?
Conversation
warnedForProto = true; | ||
process.emitWarning('usage of Object.prototype.__* properties are a' + | ||
' common security concern, use static methods on Object instead'); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps we should make these proper runtime deprecations?
/cc @addaleax
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not opposed, is it just adding to the docs a new number to get the DEP###?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added to DEP doc, idk if there is a process to do instead
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Look for other DEP codes in the code and you'll see how those are emitted :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Example:
Lines 28 to 29 in e46c680
process.emitWarning('sys is deprecated. Use util instead.', | |
'DeprecationWarning', 'DEP0025'); |
As soon as this is changed to emit a deprecation warning, I'll launch a CITGM run with --throw-deprecation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this seems difficult to wrangle without giving a unique DEP id to each accessor given the other feedback of giving more actionable feedback in #39824 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to document this somewhere. Most experienced folks would now but not newbies.
Here is a relevant discussion: #31951 |
Co-authored-by: Voltrex <mohammadkeyvanzade94@gmail.com>
|
||
const common = require('../common'); | ||
|
||
process.on('warning', common.mustCall()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a common.expectWarning()
utility.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done, but it seems deprecate(...)
in lib seems to only fire once per dep code so having specialized messages per accessor seems to require unique DEP codes.
Co-authored-by: James M Snell <jasnell@gmail.com>
Co-authored-by: Voltrex <mohammadkeyvanzade94@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cli-table
is used by 375k GitHub repositories and >2.5k npm packages
chalk
versions < 4 are probably used by a lot of projects
yargs
is used by millions of projects
express
is used by millions of projects
Maybe we should start with a pending deprecation?
* `Object.prototype.__defineSetter__` | ||
* `Object.prototype.__lookupGetter__` | ||
* `Object.prototype.__lookupSetter__` | ||
* `Object.prototype.__proto__` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I get that __proto__
is annoying, but it’s also widely used (which is why I had excluded it from #39576 as well). Runtime-deprecating that is a big breaking change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
__proto__
is the main problem for CVEs regarding prototype pollution, it is the most important to figure out how to address. I am not arguing popularity or utility, just that the API is problematic in practice.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right – that’s what --disable-proto
is for, no? Anyway, if we do this, it should be communicated very clearly to users.
(I also don’t think putting this behind --pending-deprecation
is particularly useful, given that there already is a flag to opt-out of this behavior. If we do make the decision to runtime-deprecate fully eventually, then I guess that decision can also be made now.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
--disable-proto
is a bit different, it doesn't let you see that something is using __proto__
so you can fix it. It just removes it or makes it throw; also it is opt-in so the ecosystem noise is just permanent since it doesn't actually cause any sort of signal that security warning isn't a false positive.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, I would say that throwing exceptions definitely lets you do that :)
In any case, to be clear I’m not -1 on this per se, I just think that this is a big change and we should call it out very explicitly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Throwing alters behavior, so maybe --disable-proto could get a warning mode that lets programs run and you fix it when you see it rather than taking down a process potentially?
Seems fine to have whole blog posts before this and waiting for a major to me on this PR. Since this affects legacy codebases as well it will likely also take some effort to PR things.
We could also add a flag to re-add the accessors if we ever do remove them for people needing to run legacy code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Throwing alters behavior, so maybe --disable-proto could get a warning mode that lets programs run and you fix it when you see it rather than taking down a process potentially?
I mean – yes, throwing alters behavior, but practically speaking, people will notice whether they are using __proto__
with either method, which is the point here anyw2ay.
We could also add a flag to re-add the accessors if we ever do remove them for people needing to run legacy code.
Yeah, I think in the long run that might be a good idea – just remove the accessors, but add a flag to add them for those who really need them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Too bad that --disable-proto=log
wasn't an option ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On the other hand, --disable-proto=throw
during development should spot all issues (if using a package lock).
@targos added a guard |
@targos after some digging, a variety of those are all from the test reporter used: tapjs/tap-mocha-reporter#68 |
we have patched some stuff in the wild, we should run CITGM again |
https://github.com/tapjs/tap-mocha-reporter has landed a fix, we should be good to try a new CITGM to see what the status is in the ecosystem. |
Co-authored-by: Rich Trott <rtrott@gmail.com>
Co-authored-by: Rich Trott <rtrott@gmail.com>
CITGM smoker running https://ci.nodejs.org/job/citgm-smoker/2863/ |
The last CITGM run reports 81 failures, which seems to be more or less the same as @bmeck can you rebase please? |
Have a newborn, won't be doing PR work for a few weeks
…On Wed, Apr 6, 2022, 9:43 AM Antoine du Hamel ***@***.***> wrote:
The last CITGM run reports 81 failures, which seems to be more or less the
same as master. Maybe we could land this in v18.0.0?
@bmeck <https://github.com/bmeck> can you rebase please?
—
Reply to this email directly, view it on GitHub
<#39824 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABZJI6MSA43X277Y32G53DVDWPHDANCNFSM5CQ7UVQQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Congrats! |
Was passing by here too. Nice one. Babies are so cute, and they don't have proto ! |
These accessors cause too much noise in npm security audits for the ecosystem, we should start a path to removal. Figuring out/warning on usage seems a good first step prior to actual removal. This would also be a way to verify that a security audit warning actually is affecting something rather than being false positives. These are optional/legacy in the JS language specification https://tc39.es/ecma262/#sec-object.prototype-legacy-accessor-methods