Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix code scanning alert no. 1: Prototype-polluting function #3920

Merged
merged 1 commit into from
Sep 30, 2024
Merged

Fix code scanning alert no. 1: Prototype-polluting function #3920

merged 1 commit into from
Sep 30, 2024

Conversation

alex-w
Copy link
Member

@alex-w alex-w commented Sep 28, 2024

Fixes https://github.com/Stellarium/stellarium/security/code-scanning/1

To fix the prototype pollution vulnerability in the extend function, we need to add checks to prevent the merging of special properties like __proto__ and constructor. This can be done by adding a condition to skip these properties during the merge process.

  • General Fix: Add a condition to skip properties named __proto__ and constructor during the merge process.
  • Detailed Fix: Modify the extend function to include a check that skips the properties __proto__ and constructor when copying properties from the source object to the target object.
  • Specific Changes: Update the extend function in the file plugins/RemoteControl/webroot/js/globalize.js to include the necessary checks.
  • Requirements: No additional methods or imports are needed. The changes will be made directly within the extend function.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@alex-w @github-advanced-security
Fix code scanning alert no. 1: Prototype-polluting function
e762011 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions github-actions bot requested review from 10110111 and gzotti September 28, 2024 14:43
@alex-w alex-w marked this pull request as ready for review September 28, 2024 16:36
@alex-w alex-w added this to the 24.4 milestone Sep 28, 2024
@alex-w alex-w merged commit 21d53a5 into master Sep 30, 2024
31 checks passed
@alex-w alex-w deleted the autofix/alert-1-4cbf4d3198 branch September 30, 2024 06:27
@alex-w alex-w added the state: published The fix has been published for testing in weekly binary package label Oct 7, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 7, 2024

Hello @alex-w!

Please check the fresh version (development snapshot) of Stellarium:
https://github.com/Stellarium/stellarium-data/releases/tag/weekly-snapshot

@alex-w alex-w removed the state: published The fix has been published for testing in weekly binary package label Dec 22, 2024
@github-actions GitHub Actions
Copy link

Hello @alex-w!

Please check the latest stable version of Stellarium:
https://github.com/Stellarium/stellarium/releases/latest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@10110111 10110111 Awaiting requested review from 10110111

@gzotti gzotti Awaiting requested review from gzotti

Assignees

@alex-w alex-w

Labels
None yet
Milestone
24.4
Development

Successfully merging this pull request may close these issues.
1 participant
@alex-w