🛡️ Sentinel: [CRITICAL] Fix prototype pollution in label tracking#38
🛡️ Sentinel: [CRITICAL] Fix prototype pollution in label tracking#38ericbfriday wants to merge 1 commit into
Conversation
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
There was a problem hiding this comment.
Pull request overview
This PR mitigates a prototype-pollution vector in luaparse’s control-flow label tracking by ensuring label dictionaries don’t inherit from Object.prototype, preventing special keys like __proto__ from mutating the dictionary’s prototype during parsing.
Changes:
- Initialize per-scope
labelswith a null-prototype object (Object.create(null)) instead of an object literal. - Add a Sentinel record documenting the vulnerability and the preferred prevention pattern for dictionary-like objects.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
luaparse.js |
Hardens label tracking storage against prototype pollution by using a null-prototype dictionary. |
.jules/sentinel.md |
Documents the vulnerability and the mitigation guidance for future prevention. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
🚨 Severity: CRITICAL
💡 Vulnerability: The Lua parser tracked script labels using a simple object literal (
labels: {}). This allowed malicious users to define labels matching generic object prototype properties (like__proto__orhasOwnProperty), potentially polluting or interfering with theObject.prototypewhen accessed or modified during the goto resolution phase.🎯 Impact: This could allow a malicious user to overwrite the global Object.prototype chain during parsing, causing the host application to crash, leak information, or behave unexpectedly.
🔧 Fix: Modified the label tracking dictionary initialization in
luaparse.jstoObject.create ? Object.create(null) : {}, which ensures the dictionary has no prototype chain.✅ Verification: Ran
npm run testandnpm run bench:luastto verify that functionality and performance are maintained. Evaluated a manual test script testing parsing::__proto__::showing it successfully parses without pollutingObject.prototype.PR created automatically by Jules for task 17589926056849892677 started by @ericbfriday