fix(runtime): suggest --unstable-unsafe-proto after __proto__ assignment#35192
Open
bartlomieju wants to merge 3 commits into
Open
fix(runtime): suggest --unstable-unsafe-proto after __proto__ assignment#35192bartlomieju wants to merge 3 commits into
bartlomieju wants to merge 3 commits into
Conversation
Deno disables the `Object.prototype.__proto__` accessor by default to guard against prototype pollution. It did this by deleting the property, so writes silently created a useless own property and reads returned `undefined`, which makes accidental reliance on `__proto__` hard to debug. Making the accessor throw instead (#34730) surfaced those bugs but broke real packages such as Playwright and was reverted (#34772). This keeps the silent behavior but installs an accessor that reproduces the deleted semantics exactly (read -> `undefined`, write -> own data property, prototype unchanged) while recording the first assignment. When the program then crashes, the uncaught-error formatter appends a hint to run again with `--unstable-unsafe-proto`. The accessor is now present in both modes (matching Node), so the unsafe-proto detection in the tests and fixtures switches from checking presence to checking behavior (reading `__proto__` returns `undefined` only when disabled).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Deno disables the
Object.prototype.__proto__accessor by default to guardagainst prototype pollution. It did this by deleting the property, so reads
return
undefinedand writes silently create a useless own property withoutchanging the prototype. These quiet failures are hard to track down when code
accidentally relies on
__proto__.Making the accessor throw instead (#34730) surfaced those bugs but broke real
packages such as Playwright, and was reverted (#34772). This takes a middle
ground: it keeps the silent behavior, but installs an accessor that reproduces
the deleted semantics exactly (read returns
undefined, write creates an owndata property, the prototype is unchanged) while recording the first
assignment in a process-global flag. When the program later crashes, the
uncaught-error formatter appends a hint to run again with
--unstable-unsafe-proto. Programs that never touch__proto__, and runs withthe flag already enabled, are unaffected.
One consequence is that the accessor is now present in both modes (which
matches Node, where it always exists), so
Object.hasOwn(Object.prototype, "__proto__")is nowtrueby default rather thanfalse. The detection inthe existing tests and the unsafe-proto fixture therefore switches from
checking presence to checking behavior: reading
__proto__returnsundefinedonly when the accessor is disabled.