fix: prevent prototype pollution in cli.processArguments#21057
Conversation
Reject `__proto__`, `constructor` and `prototype` path segments when walking the schema path so a crafted argument path can no longer write through to Object.prototype.
🦋 Changeset detectedLatest commit: a71b49c The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
This PR is packaged and the instant preview is available (e9f334b). Install it locally:
npm i -D webpack@https://pkg.pr.new/webpack@e9f334b
yarn add -D webpack@https://pkg.pr.new/webpack@e9f334b
pnpm add -D webpack@https://pkg.pr.new/webpack@e9f334b |
There was a problem hiding this comment.
Pull request overview
Adds prototype pollution guard in cli.processArguments by rejecting __proto__, constructor, and prototype path segments when traversing the schema path, returning a new prototype-pollution-in-path problem type.
Changes:
- Introduce
isUnsafeKeyhelper and reject unsafe segments in both intermediate and final positions ofgetObjectAndProperty. - Add new
ProblemTypevalue"prototype-pollution-in-path"(and update auto-generatedtypes.d.tsaccordingly). - Add tests covering both intermediate and trailing unsafe segments for each forbidden key.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| lib/cli.js | Adds isUnsafeKey and guards against pollution segments in path traversal. |
| types.d.ts | Extends ProblemType union with "prototype-pollution-in-path" (auto-generated). |
| test/Cli.basictest.js | Adds tests verifying pollution attempts are rejected and produce the new problem type. |
| .changeset/cli-prototype-pollution.md | Changeset entry describing the patch. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Merging this PR will not alter performance
Warning Please fix the performance issues or acknowledge them on CodSpeed. Performance Changes
Tip Investigate this regression by commenting Comparing Footnotes
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #21057 +/- ##
==========================================
- Coverage 91.73% 91.71% -0.02%
==========================================
Files 580 580
Lines 60582 60588 +6
Branches 16396 16399 +3
==========================================
- Hits 55574 55571 -3
- Misses 5008 5017 +9
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Reject
__proto__,constructorandprototypepath segments whenwalking the schema path so a crafted argument path can no longer write
through to Object.prototype.