You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
>>> deno run -A test.ts
0.20.0
var hello = "world";
var __proto__ = {
sky: "universe"
};
var stdin_default = {
hello,
__proto__
};
export {
__proto__,
stdin_default as default,
hello
};
0.20.1
var hello = "world";
var __proto__ = {
sky: "universe"
};
var stdin_default = {
hello,
__proto__: __proto__
};
export {
__proto__,
stdin_default as default,
hello
};
In the 0.20.1 output, the __proto__ field of the JSON is incorrectly written as __proto__: __proto__. This sets the prototype of stdin_default rather than a __proto__ key, like was happening in 0.20.0 and below.
This may be a security issue if users bundle untrusted JSON files into their code (but probably not that bad).
The text was updated successfully, but these errors were encountered:
lucacasonato
changed the title
esbuild@0.20.1 prototype pollution when bundling json containing a __proto__ key
esbuild@0.20.1 prototype setting when bundling json containing a __proto__ key
Mar 14, 2024
Hmm, I think this perhaps never really worked. Version 0.20.0 can generate incorrect output as well. Thanks for the report! I'll fix this in the next release.
In the 0.20.1 output, the
__proto__
field of the JSON is incorrectly written as__proto__: __proto__
. This sets the prototype ofstdin_default
rather than a__proto__
key, like was happening in 0.20.0 and below.This may be a security issue if users bundle untrusted JSON files into their code (but probably not that bad).
The text was updated successfully, but these errors were encountered: