Missed the list. Also, it apparently does trigger setters. Crossed it up with spread properties (which don't).
On Fri, May 1, 2020 at 06:28 Isiah Meadows <cont...@isiahmeadows.com> wrote: > I thought `Object.assign`already used the `Object.keys` + > `Object.defineProperty` algorithms under the hood and thus were immune to > this. Am I misremembering or misunderstanding? > > On Fri, May 1, 2020 at 05:51 Mike Sherov <mike.she...@gmail.com> wrote: > >> Given the increased prevalence of prototype pollution vulnerabilities in >> many popular javascript libraries, is it time to reconsider the fact that >> Object.assign allows for prototype pollution by default? >> >> I see two options: >> 1. Change Object.assign to disallow PP by default. Look at real world >> usages and see what would break if prototype pollution was disabled? Almost >> certainly this is not a viable option, but wanted to raise it here just in >> case there was appetite to do so. >> 2. Introduce something like Object.safeAssign (bikeshedding aside), that >> is the same as Object.assign except is safe from prototype pollution. >> >> The reason I think this is important is that the common advice of >> freezing Object.prototype is something only the end user can do, and not >> something a library can do. >> >> Yes, a library can also know to do its own PP fixes, but having a reified >> way to avoid PP allows us to have a secure-by-default method in the >> language. >> >> Thoughts? >> >> Mike Sherov >> _______________________________________________ >> es-discuss mailing list >> es-discuss@mozilla.org >> https://mail.mozilla.org/listinfo/es-discuss >> > -- > ----- > > Isiah Meadows > cont...@isiahmeadows.com > www.isiahmeadows.com > -- ----- Isiah Meadows cont...@isiahmeadows.com www.isiahmeadows.com
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss