Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LGTM-Alert Prototype pollution? #517

Closed
2 tasks done
Uzlopak opened this issue Aug 31, 2022 · 2 comments
Closed
2 tasks done

LGTM-Alert Prototype pollution? #517

Uzlopak opened this issue Aug 31, 2022 · 2 comments
Assignees
@ivan-tymoshenko

Comments

@Uzlopak
Copy link
Contributor

Uzlopak commented Aug 31, 2022

Prerequisites

  • I have written a descriptive issue title
  • I have searched existing issues to ensure the issue has not already been raised

Issue

We should just check if this is a valid alert or not.

https://lgtm.com/projects/g/fastify/fast-json-stringify?mode=tree&ruleFocus=1513136283260

According to lgtm it was introduced with #504
@mcollina
Copy link
Member

It's not a problem: https://github.com/fastify/fast-json-stringify#security

@climba03003
Copy link
Member

Even the alert itself should be false positive.

fjsCloned is a symbol, not user provided string. It can never be __proto__ and trigger the problem described.

@ivan-tymoshenko ivan-tymoshenko mentioned this issue Aug 31, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ivan-tymoshenko ivan-tymoshenko

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mcollina @Uzlopak @climba03003 @ivan-tymoshenko