-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathObjectEntries-enumerable.PoC.js
More file actions
71 lines (61 loc) · 1.53 KB
/
ObjectEntries-enumerable.PoC.js
File metadata and controls
71 lines (61 loc) · 1.53 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
// SPDX-License-Identifier: BlueOak-1.0.0
import { scoring } from "./score.js";
const propertyName = "foo";
const value = "bar";
const subject = new Proxy({
[propertyName]: value,
}, {
getOwnPropertyDescriptor() {
return {
configurable: true
};
}
});
export const about = {
function: "Object.entries",
link: "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/entries",
properties: ["'enumerable'"],
description: `
The Object.defineProperty API accepts a descriptor object for the property
being defined. Since this is a regular JavaScript object, any properties not
explicitly specified will be looked up in the prototype. Hence, any property,
including 'enumerable' can be polluted to affect newly defined properties.
Notes:
- This is a known gadget and is mentioned on MDN.`,
spectrace: [
"https://tc39.es/ecma262/#sec-object.defineproperty",
"https://tc39.es/ecma262/#sec-topropertydescriptor",
],
};
export function prerequisite() {
const got = Object.entries(subject);
if (got.length === 0) {
return [true, null];
} else {
return [false, `got [${got.join(",")}]`];
}
}
export function test() {
Object.prototype.enumerable = true;
const after = Object.entries(subject);
if (
after.length === 1
&&
after[0][0] === propertyName
&&
after[0][1] === value
) {
return true;
} else {
return false;
}
}
export function cleanup() {
delete Object.prototype.enumerable;
}
export function score() {
return [
scoring.FAULTY_IMPLEMENTATION,
scoring.AFFECTS_PROXIES,
];
}