🛡️ Sentinel: [HIGH] Fix prototype pollution in Lua labels#31
🛡️ Sentinel: [HIGH] Fix prototype pollution in Lua labels#31ericbfriday wants to merge 1 commit into
Conversation
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
There was a problem hiding this comment.
Pull request overview
This PR hardens luaparse’s control-flow label tracking against prototype pollution by ensuring label dictionaries don’t inherit from Object.prototype, and records the security learning in repository documentation.
Changes:
- Initialize
scope.labelswith a null-prototype object (Object.create(null)) to prevent prototype pollution from user-controlled label names. - Add a Sentinel security note documenting the vulnerability and the prevention pattern.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
luaparse.js |
Switches the labels map to a null-prototype dictionary to mitigate prototype pollution. |
.jules/sentinel.md |
Documents the vulnerability, learning, and recommended prevention pattern. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| FullFlowContext.prototype.pushScope = function (isLoop) { | ||
| var scope = { | ||
| labels: {}, | ||
| labels: Object.create ? Object.create(null) : {}, |
🚨 Severity: HIGH
💡 Vulnerability: The parser used an object literal (
{}) to store user-defined Lua labels. This exposed the parser to prototype pollution if a malicious script used label names that conflict withObject.prototypeproperties (like__proto__,toString, etc.), potentially causing unexpected behavior or crashes during parsing.🎯 Impact: Maliciously crafted Lua code could cause prototype pollution within the parser runtime, potentially leading to denial of service, crashes, or unpredictable state corruption.
🔧 Fix: Changed the initialization of
scope.labelsfrom{}toObject.create ? Object.create(null) : {}. This ensures the dictionary map used to store label strings has a null prototype, mitigating prototype pollution vulnerabilities while maintaining backward compatibility with older JavaScript environments.✅ Verification: Verified that tests pass via
npm run testandnpm run bench:luast. Verified thatluaparse.jsuses the new null-prototype initialization. Documented the learning in.jules/sentinel.md.PR created automatically by Jules for task 4108014751997199802 started by @ericbfriday