Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protect against prototype pollution in import action #7094

Merged
merged 9 commits into from
Oct 2, 2023
Merged

Protect against prototype pollution in import action #7094

merged 9 commits into from
Oct 2, 2023

Conversation

davetsay
Copy link
Contributor

Closes #7089

Describe your changes:

remove __proto__ when parsing JSON from import action

All Submissions:

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?
  • Is this change backwards compatible? For example, developers won't need to change how they are calling the API or how they've extended core plugins such as Tables or Plots.

Author Checklist

  • Changes address original issue?
  • Tests included and/or updated with changes?
  • Command line build passes?
  • Has this been smoke tested?
  • Testing instructions included in associated issue OR is this a dependency/testcase change?

Reviewer Checklist

  • Changes appear to address issue?
  • Reviewer has tested changes by following the provided instructions?
  • Changes appear not to be breaking changes?
  • Appropriate automated tests included?
  • Code style and in-line documentation are appropriate?
  • Has associated issue been labelled unverified? (only applicable if this PR closes the issue)
  • Has associated issue been labelled bug? (only applicable if this PR is for a bug fix)

@codecov
Copy link

codecov bot commented Sep 27, 2023
edited
Loading

Codecov Report

Merging #7094 (596e8c5) into master (3c7d339) will increase coverage by 0.19%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #7094      +/-   ##
==========================================
+ Coverage   55.45%   55.64%   +0.19%     
==========================================
  Files         649      650       +1     
  Lines       26060    26063       +3     
  Branches     2547     2547              
==========================================
+ Hits        14451    14504      +53     
+ Misses      10907    10858      -49     
+ Partials      702      701       -1
Flag Coverage Δ *Carryforward flag
e2e-full 41.93% <ø> (+<0.01%) ⬆️ Carriedforward from 3c7d339
e2e-stable 57.27% <50.00%> (+0.08%) ⬆️
unit 49.16% <100.00%> (+0.15%) ⬆️

*This pull request uses carry forward flags. Click here to find out more.

Files Coverage Δ
...ugins/importFromJSONAction/ImportFromJSONAction.js 65.26% <100.00%> (+41.85%) ⬆️
...plugins/localStorage/LocalStorageObjectProvider.js 100.00% <100.00%> (ø)
src/utils/sanitization.js 100.00% <100.00%> (ø)

... and 7 files with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3c7d339...596e8c5. Read the comment docs.

@deploysentinel
Copy link

deploysentinel bot commented Sep 27, 2023
edited
Loading

Current Playwright Test Results Summary

✅ 14 Passing

Run may still be in progress, this comment will be updated as current testing workflow or job completes...

(Last updated on 10/02/2023 09:48:47pm UTC)

Run Details

Running Workflow e2e-couchdb on Github Actions

Commit: 596e8c5

Started: 10/02/2023 09:46:52pm UTC

View Detailed Build Results

Current Playwright Test Results Summary

✅ 140 Passing - ⚠️ 2 Flaky

Run may still be in progress, this comment will be updated as current testing workflow or job completes...

(Last updated on 10/02/2023 09:48:47pm UTC)

Run Details

Running Job e2e-stable on CircleCI

Commit: 596e8c5

Started: 10/02/2023 09:21:24pm UTC

⚠️ Flakes

📄   functional/plugins/plot/logPlot.e2e.spec.js • 1 Flake

Test Case Results

Test Case Last 7 days Failures Last 7 days Flakes
Log plot tests Log Plot ticks are functionally correct in regular and log mode and after refresh
Retry 1Initial Attempt
7.87% (7) 7 / 89 runs
failed over last 7 days
23.60% (21) 21 / 89 runs
flaked over last 7 days
📄   functional/plugins/notebook/notebookSnapshots.e2e.spec.js • 1 Flake

Test Case Results

Test Case Last 7 days Failures Last 7 days Flakes
Snapshot image tests Can drop an image onto a notebook and create a new entry
Retry 1Initial Attempt
16.09% (14) 14 / 87 runs
failed over last 7 days
60.92% (53) 53 / 87 runs
flaked over last 7 days

View Detailed Build Results

@davetsay davetsay marked this pull request as ready for review September 28, 2023 00:35
@unlikelyzero
Copy link
Contributor

Can you add a functional and negative test scenario for this in the e2e suite

shefalijoshi
shefalijoshi reviewed Sep 28, 2023
View reviewed changes
Copy link
Contributor

@shefalijoshi shefalijoshi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious if we can use Vue's utility method here instead?

@davetsay
Copy link
Contributor Author

Curious if we can use Vue's utility method here instead?

I think we should try to keep view/Vue code out of the logic paths if possible.

@shefalijoshi shefalijoshi self-requested a review September 29, 2023 20:09
shefalijoshi
shefalijoshi approved these changes Sep 29, 2023
View reviewed changes
Copy link
Contributor

@shefalijoshi shefalijoshi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine!

@ozyx ozyx added this to the Target:3.1.0 milestone Oct 2, 2023
ozyx
ozyx suggested changes Oct 2, 2023
View reviewed changes
Copy link
Contributor

@ozyx ozyx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like there's a new memory leak? thus the failing perf test

@davetsay davetsay added the pr:e2e:couchdb npm run test:e2e:couchdb label Oct 2, 2023
@ozyx ozyx self-requested a review October 2, 2023 21:44
@davetsay
Copy link
Contributor Author

davetsay commented Oct 2, 2023

Looks like there's a new memory leak? thus the failing perf test

I re-ran the tests and perf passes. I don't think this introduced a leak.

@github-actions github-actions bot removed the pr:e2e:couchdb npm run test:e2e:couchdb label Oct 2, 2023
@davetsay davetsay merged commit 2243381 into master Oct 2, 2023
@davetsay davetsay deleted the fix/7089 branch October 2, 2023 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shefalijoshi shefalijoshi shefalijoshi approved these changes

@ozyx ozyx ozyx approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Target:3.1.0
Development

Successfully merging this pull request may close these issues.

json should be sanitized on import
4 participants
@davetsay @unlikelyzero @shefalijoshi @ozyx