Skip to content

fix(cli): fix for code scanning alerts: Prototype-polluting assignment #233

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mrgrain merged 2 commits into from
Mar 14, 2025
Merged

fix(cli): fix for code scanning alerts: Prototype-polluting assignment #233

mrgrain merged 2 commits into from
Mar 14, 2025

Conversation

@mrgrain
Copy link
Contributor

@mrgrain mrgrain commented Mar 14, 2025
edited
Loading

Fix for https://github.com/aws/aws-cdk-cli/security/code-scanning/5 https://github.com/aws/aws-cdk-cli/security/code-scanning/6 https://github.com/aws/aws-cdk-cli/security/code-scanning/7

To fix the prototype pollution vulnerability, we need to ensure that the keys used in the deepSet function do not include any properties that can modify Object.prototype. This can be achieved by validating the keys in the path array and rejecting any keys that are __proto__, constructor, or prototype.

The best way to fix this problem without changing existing functionality is to add a validation step before using the keys in the path array. We will add a check to ensure that none of the keys in the path array are __proto__, constructor, or prototype.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@mrgrain @github-advanced-security
Potential fix for code scanning alert no. 6: Prototype-polluting assi…
550c41f 
…gnment

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions github-actions bot added the p2 label Mar 14, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team March 14, 2025 12:00
@mrgrain mrgrain temporarily deployed to integ-approval March 14, 2025 12:06 — with GitHub Actions Inactive
@mrgrain mrgrain changed the title Potential fix for code scanning alert no. 6: Prototype-polluting assignment fix(cli): fix for code scanning alerts: Prototype-polluting assignment Mar 14, 2025
@mrgrain mrgrain marked this pull request as ready for review March 14, 2025 12:08
@codecov-commenter
Copy link

codecov-commenter commented Mar 14, 2025

Codecov Report

Attention: Patch coverage is 66.66667% with 8 lines in your changes missing coverage. Please review.

Project coverage is 84.96%. Comparing base (3791941) to head (f34c60d).

Files with missing lines Patch % Lines
...s/@aws-cdk/tmp-toolkit-helpers/src/util/objects.ts 66.66% 8 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #233      +/-   ##
==========================================
+ Coverage   84.88%   84.96%   +0.07%     
==========================================
  Files         208      208              
  Lines       35680    35701      +21     
  Branches     4616     4618       +2     
==========================================
+ Hits        30287    30333      +46     
+ Misses       5247     5218      -29     
- Partials      146      150       +4
Flag Coverage Δ
suite.unit 84.96% <66.66%> (+0.07%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@aws-cdk-automation aws-cdk-automation added this pull request to the merge queue Mar 14, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Mar 14, 2025
@mrgrain mrgrain added this pull request to the merge queue Mar 14, 2025
Merged via the queue into main with commit f855b15 Mar 14, 2025
29 of 33 checks passed
@mrgrain mrgrain deleted the alert-autofix-6 branch March 14, 2025 16:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kaizencc kaizencc kaizencc approved these changes

Assignees

No one assigned

Labels

p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mrgrain @codecov-commenter @kaizencc