console: fix prototype pollution via console.table

tniessen · richardlau · commit be69403528da · 2022-01-07T12:04:42.000Z
CVE-ID: CVE-2022-21824 Backport-PR-URL: nodejs-private/node-private#308 PR-URL: nodejs-private/node-private#307 Refs: https://hackerone.com/reports/1431042 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
diff --git a/lib/internal/console/constructor.js b/lib/internal/console/constructor.js
@@ -9,6 +9,7 @@ const {
   Boolean,
   Error,
   Map,
+  ObjectCreate,
   ObjectDefineProperties,
   ObjectDefineProperty,
   ObjectKeys,
@@ -532,7 +533,7 @@ const consoleMethods = {
       return final([iterKey, valuesKey], [getIndexArray(length), values]);
     }
 
-    const map = {};
+    const map = ObjectCreate(null);
     let hasPrimitives = false;
     const valuesKeyArray = [];
     const indexKeyArray = ObjectKeys(tabularData);
diff --git a/test/parallel/test-console-table.js b/test/parallel/test-console-table.js
@@ -276,3 +276,18 @@ test({ foo: '你好', bar: 'hello' }, `
 │   bar   │ 'hello' │
 └─────────┴─────────┘
 `);
+
+// Regression test for prototype pollution via console.table. Earlier versions
+// of Node.js created an object with a non-null prototype within console.table
+// and then wrote to object[column][index], which lead to an error as well as
+// modifications to Object.prototype.
+test([{ foo: 10 }, { foo: 20 }], ['__proto__'], `
+┌─────────┬───────────┐
+│ (index) │ __proto__ │
+├─────────┼───────────┤
+│    0    │           │
+│    1    │           │
+└─────────┴───────────┘
+`);
+assert.strictEqual('0' in Object.prototype, false);
+assert.strictEqual('1' in Object.prototype, false);
