Actions
Bug #22308
closed
Ignore datatable prototype pollution
Status:
Released
Priority:
N/A
Assignee:
Category:
Security
Target version:
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No
Description
https://security.snyk.io/vuln/SNYK-JS-DATATABLESNET-1016402
In general I feel this is very unlikely to be a problem since it requires the dev to have used constructor as their data property name (or a parameter part of it). Of course quite possible and we should protect against it, but I don't recall ever having seen anyone doing that.
We don't have anything named constructor.
Updated by Alexis Mousset almost 2 years ago
- Status changed from New to In progress
- Assignee set to Alexis Mousset
Updated by Alexis Mousset almost 2 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Alexis Mousset to Vincent MEMBRÉ
- Pull Request set to https://github.com/Normation/rudder/pull/4645
Updated by Alexis Mousset almost 2 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|7bfdae7bbbf42efe6cae871983ebea0fa6707c7e.
Updated by Alexis Mousset almost 2 years ago
- Fix check changed from To do to Checked
Updated by Alexis Mousset over 1 year ago
- Status changed from Pending release to Released
Actions