WingNews logo WingNews
top | item 35365153

(no title)

brasetvik | 2 years ago 

  >> JSON.parse("{}")["__proto__"]["A"] = "T"
  "T"
  >> W = {}
  Object {  }
  >> W.A
  "T"

discuss

order

owl57|2 years ago

And this is not deserving of WAT. This is actually a result of how awesome JavaScript is.

But if you ever actually do this, then... WAT.

olliej|2 years ago

That’s literally just prototype inheritance vs a UI nicety in node I assume.

What alternative behaviour would you expect?

brasetvik|2 years ago

It’s the wat I’ve seen have the most security impact.

Deep merging two JSON parsed objects is innocuous enough everywhere else that most don’t think twice about doing it. Lots of widely used libraries that provide deep merging utilities have had security vulnerabilities because of this.

I guess you could argue that the wat is that objects coming out of JSON.parse don’t have null as its prototype.