🛡️ Sentinel: [CRITICAL] Fix Prototype Pollution in label definitions#39
🛡️ Sentinel: [CRITICAL] Fix Prototype Pollution in label definitions#39ericbfriday wants to merge 1 commit into
Conversation
Updated the `labels` dictionary initialization in `luaparse.js` to use a null-prototype object (`Object.create(null)`). This prevents Prototype Pollution vulnerabilities that could be triggered by parsing malicious Lua code defining labels with names of built-in prototype properties (like `__proto__`, `constructor`, or `hasOwnProperty`).
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
There was a problem hiding this comment.
Pull request overview
This PR hardens the Lua parser's label tracking against prototype pollution by initializing the per-scope labels dictionary as a null-prototype object instead of a plain object literal. Since label names come directly from parsed user identifiers and lookups already use Object.prototype.hasOwnProperty.call, this change closes a potential pollution/DoS vector when parsing labels like __proto__ or constructor (Lua 5.2+/LuaJIT).
Changes:
- In
FullFlowContext.prototype.pushScope, replacelabels: {}withlabels: Object.create ? Object.create(null) : {}. - Add
.jules/sentinel.mddocumenting the vulnerability, learning, and prevention guidance.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
luaparse.js |
Uses a null-prototype object for the labels dictionary in flow-context scopes. |
.jules/sentinel.md |
Documents the prototype-pollution fix and recommends null-prototype dictionaries for arbitrary keys. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
🚨 Severity: CRITICAL
💡 Vulnerability: The Lua parser maintained a local scope dictionary of labels using a standard object literal (
labels: {}). This allowed user-supplied label names from parsed Lua code to inadvertently read from or write toObject.prototype(e.g., if a label was named__proto__orhasOwnProperty).🎯 Impact: Attackers providing malicious Lua code could trigger Prototype Pollution or cause a Denial of Service (DoS) by crashing the parser during lookups when it encounters unexpected inherited properties.
🔧 Fix: Initialized the
labelsdictionary with a null-prototype object (Object.create(null)) using a backward-compatible fallback (Object.create ? Object.create(null) : {}).✅ Verification: Ran
npm run testandnpm run bench:luastto verify that all parser functionality remains intact and performance is unaffected. Tested specifically for the__proto__andhasOwnPropertylabels, confirming they no longer pollute the prototype or throw errors during parsing.PR created automatically by Jules for task 16533251274696661320 started by @ericbfriday