Merge branch 'release/4.2.5'

CHANGELOG.yaml

@@ -1,3 +1,10 @@
+4.2.5:
+  date: 2023-04-10
+  fixed bugs:
+    - GH-907 Defined `Error.prepareStackTrace` to prevent stack trace pollution
+  chores:
+    - Updated dependencies
+
 4.2.4:
   date: 2023-03-10
   fixed bugs:

lib/sandbox/index.js

@@ -54,6 +54,22 @@
         // @note this deletes the constructor as well to make sure one can't recreate the same scope
         contextObject = Object.getPrototypeOf(contextObject);
     } while (contextObject && contextObject.constructor !== Object);
+
+    // define custom Error.prepareStackTrace
+    Object.defineProperty(Error, 'prepareStackTrace', {
+        value: function (error, structuredStackTrace) {
+            const errorString = String(error);
+
+            if (Array.isArray(structuredStackTrace) && structuredStackTrace.length) {
+                return `${errorString}\n    at ${structuredStackTrace.join('\n    at ')}`;
+            }
+
+            return errorString;
+        },
+        configurable: false,
+        enumerable: false,
+        writable: false
+    });
 }());
 
 // do include json purse

package.json

@@ -1,6 +1,6 @@
 {
   "name": "postman-sandbox",
-  "version": "4.2.4",
+  "version": "4.2.5",
   "description": "Sandbox for Postman Scripts to run in Node.js or browser",
   "author": "Postman Inc.",
   "license": "Apache-2.0",
@@ -66,11 +66,11 @@
     "csv-parse": "1.2.4",
     "editorconfig": "^0.15.3",
     "eslint": "^7.32.0",
-    "eslint-plugin-jsdoc": "^40.0.0",
+    "eslint-plugin-jsdoc": "^40.1.2",
     "eslint-plugin-lodash": "^7.4.0",
     "eslint-plugin-mocha": "^10.0.5",
     "eslint-plugin-security": "^1.7.1",
-    "jquery": "^3.6.3",
+    "jquery": "^3.6.4",
     "js-yaml": "^4.1.0",
     "jsdoc": "^3.6.10",
     "karma": "^6.4.1",
@@ -89,7 +89,7 @@
     "shelljs": "^0.8.5",
     "sinon": "^12.0.1",
     "sinon-chai": "^3.7.0",
-    "terser": "^5.16.4",
+    "terser": "^5.16.9",
     "tsd-jsdoc": "^2.5.0",
     "tv4": "1.3.0",
     "uniscope": "2.0.1",

test/unit/sandbox-sanity.test.js

@@ -57,6 +57,24 @@ describe('sandbox', function () {
         });
     });
 
+    it('should not be able to mutate Error.prepareStackTrace', function (done) {
+        Sandbox.createContext(function (err, ctx) {
+            if (err) { return done(err); }
+            ctx.on('error', done);
+
+            ctx.execute(`
+                var assert = require('assert');
+                var fn = Error.prepareStackTrace;
+
+                Error.prepareStackTrace = () => {};
+                assert.equal(Error.prepareStackTrace, fn);
+
+                var err = new Error('Test');
+                assert.equal(err.stack.split('\\n')[0], 'Error: Test');
+            `, done);
+        });
+    });
+
     it('should not have access to global properties', function (done) {
         Sandbox.createContext({ debug: true }, function (err, ctx) {
             if (err) { return done(err); }