Skip to content

Fix code scanning alert no. 1: Prototype-polluting function #711

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lindluni wants to merge 1 commit into from
Closed

Fix code scanning alert no. 1: Prototype-polluting function #711

lindluni wants to merge 1 commit into from

Conversation

@lindluni
Copy link
Contributor

@lindluni lindluni commented Dec 16, 2024

Fixes https://github.com/github/safe-settings/security/code-scanning/1

To fix the prototype pollution issue, we need to ensure that properties like __proto__ and constructor are not copied from the source object to the additions object. This can be achieved by adding a check to skip these properties during the merge process.

  • Modify the compareDeep function to include a check that skips the __proto__ and constructor properties.
  • This change should be made in the lib/mergeDeep.js file, specifically in the loop that iterates over the source object's properties.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@lindluni @github-advanced-security
Fix code scanning alert no. 1: Prototype-polluting function
16ad0ca 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@lindluni lindluni marked this pull request as ready for review December 16, 2024 03:57
Copilot AI review requested due to automatic review settings December 16, 2024 03:57
Copilot AI reviewed Dec 16, 2024
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Tip: Copilot only keeps its highest confidence comments to reduce noise and keep you focused. Learn more

lib/mergeDeep.js
// So any property in the target that is not in the source is not treated as a deletion
for (const key in source) {
// Skip prototype pollution properties
if (key === "__proto__" || key === "constructor") {
Copy link

Copilot AI Dec 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The check for prototype pollution properties is correct, but it should also include 'prototype' to ensure comprehensive protection against prototype pollution attacks.

Suggested change
if (key === "__proto__" || key === "constructor") {
if (key === "__proto__" || key === "constructor" || key === "prototype") {

Copilot uses AI. Check for mistakes.
@lindluni lindluni closed this Dec 26, 2024
@lindluni lindluni deleted the alert-autofix-1 branch December 26, 2024 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@lindluni @Claude @Codex