-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathObjectKeys-enumerable.PoC.js
More file actions
61 lines (52 loc) · 1.4 KB
/
ObjectKeys-enumerable.PoC.js
File metadata and controls
61 lines (52 loc) · 1.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
// SPDX-License-Identifier: BlueOak-1.0.0
import { scoring } from "./score.js";
const propertyName = "foo";
const subject = new Proxy({
[propertyName]: "bar",
}, {
getOwnPropertyDescriptor() {
return {
configurable: true
};
}
});
export const about = {
function: "Object.keys",
link: "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/keys",
properties: ["'enumerable'"],
description: `
To get the keys of an object JavaScript enumerates its properties. To
enumerate properties of an object, JavaScript relies on the 'enumerable'
property in each property's descriptor. If the descriptor is implemented
incorrectly (e.g. on a Proxy) the descriptor object becomes vulnerable to
prototype pollution, allowing you to make properties enumerable.`,
spectrace: [
"https://tc39.es/ecma262/#sec-object.keys",
"https://tc39.es/ecma262/#sec-enumerableownproperties",
],
};
export function prerequisite() {
const got = Object.keys(subject);
if (got.length === 0) {
return [true, null];
} else {
return [false, `got [${got.join(",")}]`];
}
}
export function test() {
Object.prototype.enumerable = true;
const got = Object.keys(subject);
if (got.length === 1 && got[0] === propertyName) {
return true;
} else {
return false;
}
}
export function cleanup() {
delete Object.prototype.enumerable;
}
export function score() {
return [
scoring.REQUIRES_PROXY,
];
}