console: fix prototype pollution via console.table

CVE-ID: CVE-2022-21824
PR-URL: nodejs-private/node-private#307
Refs: https://hackerone.com/reports/1431042
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

Author: tniessen

lib/internal/console/constructor.js

@@ -15,6 +15,7 @@ const {
   MathFloor,
   Number,
   NumberPrototypeToFixed,
+  ObjectCreate,
   ObjectDefineProperties,
   ObjectDefineProperty,
   ObjectKeys,
@@ -555,7 +556,7 @@ const consoleMethods = {
       return final([iterKey, valuesKey], [getIndexArray(length), values]);
     }
 
-    const map = {};
+    const map = ObjectCreate(null);
     let hasPrimitives = false;
     const valuesKeyArray = [];
     const indexKeyArray = ObjectKeys(tabularData);

test/parallel/test-console-table.js

@@ -276,3 +276,18 @@ test({ foo: '你好', bar: 'hello' }, `
 │   bar   │ 'hello' │
 └─────────┴─────────┘
 `);
+
+// Regression test for prototype pollution via console.table. Earlier versions
+// of Node.js created an object with a non-null prototype within console.table
+// and then wrote to object[column][index], which lead to an error as well as
+// modifications to Object.prototype.
+test([{ foo: 10 }, { foo: 20 }], ['__proto__'], `
+┌─────────┬───────────┐
+│ (index) │ __proto__ │
+├─────────┼───────────┤
+│    0    │           │
+│    1    │           │
+└─────────┴───────────┘
+`);
+assert.strictEqual('0' in Object.prototype, false);
+assert.strictEqual('1' in Object.prototype, false);