Skip to content

fix(aws-serverless): Remove possible prototype pollution source #14110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 29, 2024
Merged

fix(aws-serverless): Remove possible prototype pollution source #14110

merged 1 commit into from
Oct 29, 2024

Conversation

AbhiPrasad
Copy link
Member

Fixes https://github.com/getsentry/sentry-javascript/security/code-scanning/307

To fix the prototype pollution issue, we need to ensure that the handlerName does not include any special properties like __proto__, constructor, or prototype. We can achieve this by adding a check to filter out these properties before performing the assignment.

  1. Add a check to ensure handlerName does not include __proto__, constructor, or prototype.
  2. If handlerName includes any of these properties, log an error and return without making the assignment.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@AbhiPrasad @github-advanced-security
Fix code scanning alert no. 307: Prototype-polluting assignment
f08906c 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@AbhiPrasad AbhiPrasad changed the title Fix code scanning alert no. 307: Prototype-polluting assignment fix(aws-serverless): Remove possible prototype pollution source Oct 29, 2024
@AbhiPrasad AbhiPrasad marked this pull request as ready for review October 29, 2024 02:44
@AbhiPrasad AbhiPrasad requested review from a team, chargome and stephanie-anderson and removed request for a team October 29, 2024 02:44
mydea
mydea approved these changes Oct 29, 2024
View reviewed changes
Copy link
Member

@mydea mydea left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems reasonable to me!

@AbhiPrasad AbhiPrasad merged commit c98377b into develop Oct 29, 2024
130 checks passed
@AbhiPrasad AbhiPrasad deleted the alert-autofix-307 branch October 29, 2024 15:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mydea mydea mydea approved these changes

@chargome chargome chargome approved these changes

@stephanie-anderson stephanie-anderson Awaiting requested review from stephanie-anderson stephanie-anderson was automatically assigned from getsentry/team-web-sdk-frontend

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AbhiPrasad @mydea @chargome