After a conversation on twitter ( https://twitter.com/mikesherov/status/1256193257626836998?s=20), to firm up what I'm proposing here is that preventing prototype pollution isn't really possible with Object.assign as is because it would have to change to not execute setters, which is a non-starter.
I'm mostly left with a desire to discuss/learn what it would actually take to make a prototype pollution safe version of Object.assign, and this may not be the forum for that. On Fri, May 1, 2020 at 8:50 AM Mike Sherov <mike.she...@gmail.com> wrote: > Given the increased prevalence of prototype pollution vulnerabilities in > many popular javascript libraries, is it time to reconsider the fact that > Object.assign allows for prototype pollution by default? > > I see two options: > 1. Change Object.assign to disallow PP by default. Look at real world > usages and see what would break if prototype pollution was disabled? Almost > certainly this is not a viable option, but wanted to raise it here just in > case there was appetite to do so. > 2. Introduce something like Object.safeAssign (bikeshedding aside), that > is the same as Object.assign except is safe from prototype pollution. > > The reason I think this is important is that the common advice of freezing > Object.prototype is something only the end user can do, and not something a > library can do. > > Yes, a library can also know to do its own PP fixes, but having a reified > way to avoid PP allows us to have a secure-by-default method in the > language. > > Thoughts? > > Mike Sherov -- Mike Sherov
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss