Guys, need quick brainstorm for mitigation of http://ift.tt/2F80cHR It has already leaked in other subreddit. So, I am not exposing anything.Looks like Object.freeze( Object.prototype ); is a quick and permanent solution.Modification of global prototype is definitely a bad practice. So, such pattern should be removed in modern applications. Also, it's possible to call the statement after global prototype modification is complete.Example below.const _ = require( 'lodash' ); console.log( ({}).test1 ); // undefined _.merge( {}, JSON.parse( '{"__proto__": { "test1": "123" } }' ) ); console.log( ({}).test1 ); // "123" Object.freeze( Object.prototype ); console.log( ({}).test2 ); // undefined _.merge( {}, JSON.parse( '{"__proto__": { "test2": "123" } }' ) ); console.log( ({}).test2 ); // undefined Any drawbacks you can think of?
Submitted February 17, 2018 at 12:08AM by andvgal
No comments:
Post a Comment