🛡️ Sentinel: [CRITICAL/HIGH] Fix prototype pollution in label storage#35
🛡️ Sentinel: [CRITICAL/HIGH] Fix prototype pollution in label storage#35ericbfriday wants to merge 1 commit into
Conversation
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
There was a problem hiding this comment.
Pull request overview
This PR hardens Lua label storage by changing the per-scope label dictionary to use a null-prototype object, reducing risk from prototype-key label names.
Changes:
- Initializes
labelswithObject.create(null)fallback logic. - Adds a
.julesSentinel note documenting the prototype-pollution lesson.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
luaparse.js |
Updates flow-context label storage initialization. |
.jules/sentinel.md |
Adds an audit/learning note for the vulnerability fix. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| FullFlowContext.prototype.pushScope = function (isLoop) { | ||
| var scope = { | ||
| labels: {}, | ||
| labels: Object.create ? Object.create(null) : {}, |
| FullFlowContext.prototype.pushScope = function (isLoop) { | ||
| var scope = { | ||
| labels: {}, | ||
| labels: Object.create ? Object.create(null) : {}, |
| ## 2026-05-27 - [Prototype Pollution in Lua Labels] | ||
| **Vulnerability:** The parser stores user-supplied strings (Lua goto labels) as keys in a plain javascript object literal `{}`, which inherits from `Object.prototype`, exposing it to prototype pollution attacks (e.g., using `__proto__` as a label name). | ||
| **Learning:** Dictionary objects constructed to store user-supplied text should not be vulnerable to prototype pollution. | ||
| **Prevention:** Use `Object.create(null)` instead of `{}` when initializing dictionary objects that store user-supplied strings, with a fallback like `Object.create ? Object.create(null) : {}` for safer evaluation across JS engine versions. No newline at end of file |
🚨 Severity: HIGH
💡 Vulnerability: The parser stores user-supplied strings (Lua goto labels) as keys in a plain javascript object literal
{}, which inherits fromObject.prototype, exposing it to prototype pollution attacks (e.g., using__proto__as a label name).🎯 Impact: A malicious actor could provide specially crafted Lua code containing a label named
__proto__to alter the prototype chain of the dictionary object, potentially leading to unexpected behavior or denial of service within the parser.🔧 Fix: Initialized the
labelsobject usingObject.create ? Object.create(null) : {}instead of{}. This ensures the dictionary operates without inheriting fromObject.prototypewhile maintaining a fallback for older environments withoutObject.create.✅ Verification: Ran the test suite (
npm run test) and benchmarks (npm run bench:luast) successfully to ensure no functional or performance regressions.PR created automatically by Jules for task 14569152277891614626 started by @ericbfriday