Skip to content

Commit

Permalink
Revert "feat(enhanced the prototype pollution detection mecanism): be…
Browse files Browse the repository at this point in the history
…tter checking for prototype pollution"

This reverts commit 284fbb1.
  • Loading branch information
acuciureanu committed Feb 8, 2023
1 parent 284fbb1 commit 3fffdaa
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 32 deletions.
4 changes: 2 additions & 2 deletions sandbox/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,12 @@
types.reduce((acc, type) => intersectProtoPropNameReducer(acc, type, prev, curr), {});
</script>

<script id="target"></script>

<script>
const before = prototypePropertyNames();
</script>

<script id="target"></script>

<script>
const after = prototypePropertyNames();

Expand Down
31 changes: 1 addition & 30 deletions sandbox/js/check.payload.js
Original file line number Diff line number Diff line change
Expand Up @@ -7,41 +7,12 @@ const prototypesPropertiesReducer = (acc, type) => ({

const prototypePropertyNames = types.reduce(prototypesPropertiesReducer, {});

// This function checks if a prototype property is polluted by changing its value
// and checking if the value has changed. It returns a boolean indicating if the
// property is polluted.
const checkIfPrototypePropertyIsPolluted = (object, prop) => {
// Get the original value of the prototype property
const originalValue = Object.getOwnPropertyDescriptor(object, prop);
try {
// Change the value of the prototype property
object[prop] = 'polluted';
// If the value of the prototype property is 'polluted', it is polluted
if (object[prop] === 'polluted') {
return true;
}
} catch (e) {
// The property is read-only, so it is not polluted.
return false;
} finally {
// Restore the original value of the prototype property
Object.defineProperty(object, prop, originalValue);
}
return false;
};

// This function probes for polluted prototype properties and returns an array
// of the names of the polluted properties.
const probe = () =>
Object.keys(prototypePropertyNames).reduce((acc, key) => {
for (let propKey of prototypePropertyNames[key]) {
// Get the prototype property using eval()
const payload = `${key}.prototype.${propKey}`;
try {
const prop = eval(payload);
// If the prototype property is a function and its prototype is polluted,
// add its name to the result array.
if (typeof prop === 'function' && checkIfPrototypePropertyIsPolluted(prop.prototype, propKey)) {
if (typeof eval(payload) === 'function' && eval(payload).call() === window) {
acc.push(payload);
}
} catch (e) {
Expand Down

0 comments on commit 3fffdaa

Please sign in to comment.