Potential fix for code scanning alert no. 1: Prototype-polluting assignment #224
Conversation
…gnment Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
|
View your CI Pipeline Execution ↗ for commit 173573e
☁️ Nx Cloud last updated this comment at |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| async loaderCustomGet<T extends Record<string, unknown>>(key: string): Promise<T> { | ||
| if (key === '__proto__' || key === 'constructor' || key === 'prototype') { | ||
| throw new Error("Invalid key"); | ||
| } |
There was a problem hiding this comment.
Bug: Inconsistent Key Validation Breaks Store Contract
The validation check for dangerous keys (__proto__, constructor, prototype) is only in loaderCustomGet, but not in loaderCustomSet, loaderCustomHas, or loaderCustomDelete. This creates inconsistent behavior where keys can be set and checked but cannot be retrieved, breaking the expected contract of a key-value store. If the intent is to block these keys, the validation belongs in loaderCustomSet where the assignment occurs, not in the getter.
|
Potential fix for https://github.com/llm-tools/embedJs/security/code-scanning/1
To prevent prototype pollution, we need to ensure that the
keyparameter cannot be a special property like__proto__,constructor, orprototype. This can be achieved by validating thekeyparameter before using it to access or modify theloaderCustomValuesobject. Alternatively, we can replace the plain objectloaderCustomValueswith a prototype-less object created usingObject.create(null).The best approach here is to use a prototype-less object for
loaderCustomValues, as it inherently prevents prototype pollution without requiring additional validation logic. This change will involve:loaderCustomValuesin theinitmethod to useObject.create(null).loaderCustomValuesremain compatible with a prototype-less object.Suggested fixes powered by Copilot Autofix. Review carefully before merging.
Note
Use a prototype-less object for
loaderCustomValuesand validate disallowed keys inloaderCustomGetto prevent prototype pollution.loaderCustomValueswithObject.create(null)incore/embedjs/src/store/memory-store.ts.loaderCustomGetto reject__proto__,constructor, andprototype.Written by Cursor Bugbot for commit 173573e. This will update automatically on new commits. Configure here.