Interesting security fix?

[lichwala]

Hello @Tao-VanJS !
Thank you for all your work on that fantastic framework! I love it!
I've learned a lot by studying your source code, so I've got just a short question regarding interesting "emergency fix" between 1.2.2 and 1.2.3.
If I understand it well, it's a security fix related to possible VanJS vulnerability to JavaScript prototype pollution. Is that right?
You wanted to optimize bundle size by 5 bytes replacing object initialization with { proto: ... } by Object.create(...)
If I understand it properly, this way van's state prototype is not directly overwritten thus can contain polluted version (taken by Object.create() static method).
Could you please confirm my understanding or explain it a bit if I'm wrong?
Thank you!

[Tao-VanJS]

Hi @lichwala,

Thanks for your interest in VanJS.

I don't think either Object.create(...) or {__proto__: ..., ...} has any security issues. The problem in the 1.2.2 release is that the code is buggy. For Object.create, the 2nd parameter is a propertiesObject, not the object itself, see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/create#parameters. For instance, if you want to initiate {a: 1, b: 2} with Object.create, you need to pass in:

{
  a: {
    writable: true,
    configurable: true,
    value: 1,
  },
  b: {
    writable: true,
    configurable: true,
    value: 2,
  },
}

Thus 1.2.2 release was my fault. I should have run the tests to catch it. Luckily, I realized the issue just minutes after the release and did a emergency fix in 1.2.3. I hope no one was effected.

[lichwala]

Ahhh OK, now I fully understand this. Thank you for your detailed explanation!