🛡️ Sentinel: [HIGH] Fix Prototype Pollution via Lua Labels#29
🛡️ Sentinel: [HIGH] Fix Prototype Pollution via Lua Labels#29ericbfriday wants to merge 1 commit into
Conversation
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
There was a problem hiding this comment.
Pull request overview
This PR hardens luaparse’s control-flow label tracking against prototype-pollution attacks by preventing user-supplied label names from interacting with Object.prototype.
Changes:
- Initialize
scope.labelswith a null-prototype dictionary to avoid prototype pollution from special keys (e.g.,__proto__). - Add a Sentinel security note documenting the vulnerability and mitigation guidance.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| luaparse.js | Uses a null-prototype map for label storage in flow-scope tracking to mitigate prototype pollution. |
| .jules/sentinel.md | Documents the prototype-pollution issue, learning, and prevention guidance for future reference. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| FullFlowContext.prototype.pushScope = function (isLoop) { | ||
| var scope = { | ||
| labels: {}, | ||
| labels: Object.create ? Object.create(null) : {}, |
| FullFlowContext.prototype.pushScope = function (isLoop) { | ||
| var scope = { | ||
| labels: {}, | ||
| labels: Object.create ? Object.create(null) : {}, |
🚨 Severity: HIGH
💡 Vulnerability: The Lua parser used a standard JavaScript object literal
{}to store user-defined label keys, allowing for prototype pollution by injecting__proto__as a label name in user-supplied Lua scripts (e.g.::__proto__::).🎯 Impact: Manipulating properties on
Object.prototypecan lead to unexpected runtime behavior or subsequent security exploits depending on how the parsed AST and broader execution environment uses Javascript objects.🔧 Fix: Changed the dictionary initialization in
luaparse.jsat line 1677 from{}toObject.create ? Object.create(null) : {}to safely decouple it from the standard Object prototype.✅ Verification: Verified by confirming that parsed labels correctly reject
goto __proto__when::__proto__::is not visibly defined, without affecting inherited prototype attributes on the environment.PR created automatically by Jules for task 8851771173444985775 started by @ericbfriday