Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: default options for controlling proto access #1635

Merged
merged 1 commit into from
Jan 10, 2020

Conversation

nknapp
Copy link
Collaborator

@nknapp nknapp commented Jan 9, 2020

feat: default options for controlling proto access

This commmit adds the runtime options

  • allowProtoPropertiesByDefault (boolean, default: false) and
  • allowProtoMethodsByDefault (boolean, default: false)`
    which can be used to allow access to prototype properties and
    functions in general.

Specific properties and methods can still be disabled from access
via allowedProtoProperties and allowedProtoMethods by
setting the corresponding values to false.

The methods constructor, __defineGetter__, __defineSetter__, __lookupGetter__
and the property __proto__ will be disabled, even if the allow...ByDefault-options
are set to true. In order to allow access to those properties and methods, they have
to be explicitly set to true in the 'allowedProto...'-options.

A warning is logged when the a proto-access it attempted and denied
by default (i.e. if no option is set by the user to make the access
decision explicit)

@nknapp nknapp force-pushed the protoAccessDefaultOptions branch 2 times, most recently from 6ed0598 to f330390 Compare January 9, 2020 22:50
@Gerrit0
Copy link

Gerrit0 commented Jan 9, 2020

👍 thanks! Looks like this is a good balance between protecting users by default and allowing them the flexibility to continue using prototype methods in projects where that is necessary.

This commmit adds the runtime options
- `allowProtoPropertiesByDefault` (boolean, default: false) and
- `allowProtoMethodsByDefault` (boolean, default: false)`
which can be used to allow access to prototype properties and
functions in general.

Specific properties and methods can still be disabled from access
via `allowedProtoProperties` and `allowedProtoMethods` by
setting the corresponding values to false.

The methods `constructor`, `__defineGetter__`, `__defineSetter__`, `__lookupGetter__`
and the property `__proto__` will be disabled, even if the allow...ByDefault-options
are set to true. In order to allow access to those properties and methods, they have
to be explicitly set to true in the 'allowedProto...'-options.

A warning is logged when the a proto-access it attempted and denied
by default (i.e. if no option is set by the user to make the access
decision explicit)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants