node: warn for Object.prototype.__* accessors common in security warnings#39824
node: warn for Object.prototype.__* accessors common in security warnings#39824bmeck wants to merge 16 commits intonodejs:mainfrom
Conversation
| warnedForProto = true; | ||
| process.emitWarning('usage of Object.prototype.__* properties are a' + | ||
| ' common security concern, use static methods on Object instead'); | ||
| } |
There was a problem hiding this comment.
Perhaps we should make these proper runtime deprecations?
/cc @addaleax
There was a problem hiding this comment.
I'm not opposed, is it just adding to the docs a new number to get the DEP###?
There was a problem hiding this comment.
added to DEP doc, idk if there is a process to do instead
There was a problem hiding this comment.
Look for other DEP codes in the code and you'll see how those are emitted :-)
There was a problem hiding this comment.
Example:
Lines 28 to 29 in e46c680
As soon as this is changed to emit a deprecation warning, I'll launch a CITGM run with --throw-deprecation
There was a problem hiding this comment.
this seems difficult to wrangle without giving a unique DEP id to each accessor given the other feedback of giving more actionable feedback in #39824 (comment)
|
Here is a relevant discussion: #31951 |
Co-authored-by: Voltrex <[email protected]>
|
|
||
| const common = require('../common'); | ||
|
|
||
| process.on('warning', common.mustCall()); |
There was a problem hiding this comment.
There is a common.expectWarning() utility.
There was a problem hiding this comment.
done, but it seems deprecate(...) in lib seems to only fire once per dep code so having specialized messages per accessor seems to require unique DEP codes.
Co-authored-by: James M Snell <[email protected]>
Co-authored-by: Voltrex <[email protected]>
targos
left a comment
targos
left a comment
There was a problem hiding this comment.
cli-table is used by 375k GitHub repositories and >2.5k npm packages
chalk versions < 4 are probably used by a lot of projects
yargs is used by millions of projects
express is used by millions of projects
Maybe we should start with a pending deprecation?
addaleax
added
semver-major
| * `Object.prototype.__defineSetter__` | ||
| * `Object.prototype.__lookupGetter__` | ||
| * `Object.prototype.__lookupSetter__` | ||
| * `Object.prototype.__proto__` |
There was a problem hiding this comment.
I get that __proto__ is annoying, but it’s also widely used (which is why I had excluded it from #39576 as well). Runtime-deprecating that is a big breaking change.
There was a problem hiding this comment.
__proto__ is the main problem for CVEs regarding prototype pollution, it is the most important to figure out how to address. I am not arguing popularity or utility, just that the API is problematic in practice.
There was a problem hiding this comment.
Right – that’s what --disable-proto is for, no? Anyway, if we do this, it should be communicated very clearly to users.
(I also don’t think putting this behind --pending-deprecation is particularly useful, given that there already is a flag to opt-out of this behavior. If we do make the decision to runtime-deprecate fully eventually, then I guess that decision can also be made now.)
There was a problem hiding this comment.
--disable-proto is a bit different, it doesn't let you see that something is using __proto__ so you can fix it. It just removes it or makes it throw; also it is opt-in so the ecosystem noise is just permanent since it doesn't actually cause any sort of signal that security warning isn't a false positive.
There was a problem hiding this comment.
Well, I would say that throwing exceptions definitely lets you do that :)
In any case, to be clear I’m not -1 on this per se, I just think that this is a big change and we should call it out very explicitly.
There was a problem hiding this comment.
Throwing alters behavior, so maybe --disable-proto could get a warning mode that lets programs run and you fix it when you see it rather than taking down a process potentially?
Seems fine to have whole blog posts before this and waiting for a major to me on this PR. Since this affects legacy codebases as well it will likely also take some effort to PR things.
We could also add a flag to re-add the accessors if we ever do remove them for people needing to run legacy code.
There was a problem hiding this comment.
Throwing alters behavior, so maybe --disable-proto could get a warning mode that lets programs run and you fix it when you see it rather than taking down a process potentially?
I mean – yes, throwing alters behavior, but practically speaking, people will notice whether they are using __proto__ with either method, which is the point here anyw2ay.
We could also add a flag to re-add the accessors if we ever do remove them for people needing to run legacy code.
Yeah, I think in the long run that might be a good idea – just remove the accessors, but add a flag to add them for those who really need them.
There was a problem hiding this comment.
Too bad that --disable-proto=log wasn't an option ?
There was a problem hiding this comment.
On the other hand, --disable-proto=throw during development should spot all issues (if using a package lock).
|
@targos added a guard |
|
@targos after some digging, a variety of those are all from the test reporter used: tapjs/tap-mocha-reporter#68 |
|
we have patched some stuff in the wild, we should run CITGM again |
|
https://github.com/tapjs/tap-mocha-reporter has landed a fix, we should be good to try a new CITGM to see what the status is in the ecosystem. |
Co-authored-by: Rich Trott <[email protected]>
Co-authored-by: Rich Trott <[email protected]>
|
CITGM smoker running https://ci.nodejs.org/job/citgm-smoker/2863/ |
|
The last CITGM run reports 81 failures, which seems to be more or less the same as @bmeck can you rebase please? |
|
Have a newborn, won't be doing PR work for a few weeks
…On Wed, Apr 6, 2022, 9:43 AM Antoine du Hamel ***@***.***> wrote:
The last CITGM run reports 81 failures, which seems to be more or less the
same as master. Maybe we could land this in v18.0.0?
@bmeck <https://github.com/bmeck> can you rebase please?
—
Reply to this email directly, view it on GitHub
<#39824 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABZJI6MSA43X277Y32G53DVDWPHDANCNFSM5CQ7UVQQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Congrats! |
|
Was passing by here too. Nice one. Babies are so cute, and they don't have proto ! |
11 participants
These accessors cause too much noise in npm security audits for the ecosystem, we should start a path to removal. Figuring out/warning on usage seems a good first step prior to actual removal. This would also be a way to verify that a security audit warning actually is affecting something rather than being false positives. These are optional/legacy in the JS language specification https://tc39.es/ecma262/#sec-object.prototype-legacy-accessor-methods