From 9e98e866043312f536d565230c1971bf2d0751f4 Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Wed, 11 Dec 2024 12:11:38 +0100 Subject: [PATCH] util: do not rely on mutable `Object` and `Function`' `constructor` prop PR-URL: https://github.com/nodejs/node/pull/56188 Fixes: https://github.com/nodejs/node/issues/55924 Reviewed-By: Ruben Bridgewater Reviewed-By: Jordan Harband --- lib/internal/util/inspect.js | 30 +++++++++++++++++++++++++----- test/parallel/test-util-inspect.js | 30 ++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+), 5 deletions(-) diff --git a/lib/internal/util/inspect.js b/lib/internal/util/inspect.js index a697459468d7b9..1f1be555c96e08 100644 --- a/lib/internal/util/inspect.js +++ b/lib/internal/util/inspect.js @@ -22,8 +22,11 @@ const { DatePrototypeToISOString, DatePrototypeToString, ErrorPrototypeToString, + Function, + FunctionPrototype, FunctionPrototypeBind, FunctionPrototypeCall, + FunctionPrototypeSymbolHasInstance, FunctionPrototypeToString, JSONStringify, MapPrototypeEntries, @@ -50,6 +53,7 @@ const { ObjectGetPrototypeOf, ObjectIs, ObjectKeys, + ObjectPrototype, ObjectPrototypeHasOwnProperty, ObjectPrototypePropertyIsEnumerable, ObjectSeal, @@ -593,10 +597,26 @@ function isInstanceof(object, proto) { } } +// Special-case for some builtin prototypes in case their `constructor` property has been tampered. +const wellKnownPrototypes = new SafeMap(); +wellKnownPrototypes.set(ObjectPrototype, { name: 'Object', constructor: Object }); +wellKnownPrototypes.set(FunctionPrototype, { name: 'Function', constructor: Function }); + function getConstructorName(obj, ctx, recurseTimes, protoProps) { let firstProto; const tmp = obj; while (obj || isUndetectableObject(obj)) { + const wellKnownPrototypeNameAndConstructor = wellKnownPrototypes.get(obj); + if (wellKnownPrototypeNameAndConstructor != null) { + const { name, constructor } = wellKnownPrototypeNameAndConstructor; + if (FunctionPrototypeSymbolHasInstance(constructor, tmp)) { + if (protoProps !== undefined && firstProto !== obj) { + addPrototypeProperties( + ctx, tmp, firstProto || tmp, recurseTimes, protoProps); + } + return name; + } + } const descriptor = ObjectGetOwnPropertyDescriptor(obj, 'constructor'); if (descriptor !== undefined && typeof descriptor.value === 'function' && @@ -954,7 +974,11 @@ function formatRaw(ctx, value, recurseTimes, typedArray) { if (noIterator) { keys = getKeys(value, ctx.showHidden); braces = ['{', '}']; - if (constructor === 'Object') { + if (typeof value === 'function') { + base = getFunctionBase(value, constructor, tag); + if (keys.length === 0 && protoProps === undefined) + return ctx.stylize(base, 'special'); + } else if (constructor === 'Object') { if (isArgumentsObject(value)) { braces[0] = '[Arguments] {'; } else if (tag !== '') { @@ -963,10 +987,6 @@ function formatRaw(ctx, value, recurseTimes, typedArray) { if (keys.length === 0 && protoProps === undefined) { return `${braces[0]}}`; } - } else if (typeof value === 'function') { - base = getFunctionBase(value, constructor, tag); - if (keys.length === 0 && protoProps === undefined) - return ctx.stylize(base, 'special'); } else if (isRegExp(value)) { // Make RegExps say that they are RegExps base = RegExpPrototypeToString( diff --git a/test/parallel/test-util-inspect.js b/test/parallel/test-util-inspect.js index 3da292fc663c35..04fc82cfc1aa80 100644 --- a/test/parallel/test-util-inspect.js +++ b/test/parallel/test-util-inspect.js @@ -3323,3 +3323,33 @@ assert.strictEqual( } }), '{ [Symbol(Symbol.iterator)]: [Getter] }'); } + +{ + const o = {}; + const { prototype: BuiltinPrototype } = Object; + const desc = Reflect.getOwnPropertyDescriptor(BuiltinPrototype, 'constructor'); + Object.defineProperty(BuiltinPrototype, 'constructor', { + get: () => BuiltinPrototype, + configurable: true, + }); + assert.strictEqual( + util.inspect(o), + '{}', + ); + Object.defineProperty(BuiltinPrototype, 'constructor', desc); +} + +{ + const o = { f() {} }; + const { prototype: BuiltinPrototype } = Function; + const desc = Reflect.getOwnPropertyDescriptor(BuiltinPrototype, 'constructor'); + Object.defineProperty(BuiltinPrototype, 'constructor', { + get: () => BuiltinPrototype, + configurable: true, + }); + assert.strictEqual( + util.inspect(o), + '{ f: [Function: f] }', + ); + Object.defineProperty(BuiltinPrototype, 'constructor', desc); +}