Skip to content

fix(bidi): prevent prototype pollution in BiDi deserialization#41322

Merged
yury-s merged 1 commit into
microsoft:mainfrom
SebTardif:fix-f047
Jun 16, 2026
Merged

fix(bidi): prevent prototype pollution in BiDi deserialization#41322
yury-s merged 1 commit into
microsoft:mainfrom
SebTardif:fix-f047

Conversation

@SebTardif

Copy link
Copy Markdown
Contributor

Summary

  • Use Object.create(null) instead of {} in deserializeBidiMapping to prevent a __proto__ key from remote BiDi data from modifying Object.prototype
  • Add test for the behavioral contract

Introduced in #38587

Use Object.create(null) instead of {} for the result object in
deserializeBidiMapping to prevent a __proto__ key from remote BiDi
data from modifying Object.prototype.
@dgozman dgozman requested a review from yury-s June 16, 2026 15:06
@yury-s yury-s merged commit 722b776 into microsoft:main Jun 16, 2026
44 of 47 checks passed
@github-actions

Copy link
Copy Markdown
Contributor

Test results for "MCP"

7341 passed, 1122 skipped


Merge workflow run.

@github-actions

Copy link
Copy Markdown
Contributor

Test results for "tests 1"

2 flaky ⚠️ [chromium-library] › library/video.spec.ts:645 › screencast › should capture full viewport `@chromium-ubuntu-22.04-node22`
⚠️ [firefox-library] › library/inspector/cli-codegen-3.spec.ts:224 › cli codegen › should generate frame locators (4) `@firefox-ubuntu-22.04-node20`

39601 passed, 743 skipped


Merge workflow run.

@whimboo

whimboo commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

@SebTardif please note that this PR got reverted due to #41341.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants