From 730e3b5e2ebd52d060937ee30f82c5dc96097631 Mon Sep 17 00:00:00 2001 From: matias-la <98407225+matias-la@users.noreply.github.com> Date: Wed, 27 Jul 2022 10:40:04 -0300 Subject: [PATCH] fix: use null prototype for LayoutAnimationRepository config (#3383) ## Description Prevent the `configs` object from having properties inherited from `Object.prototype`, such as `toString` or `__proto__`. Otherwise, using these properties could potentially have a security impact. ## Changes Changed the prototype of the `configs` object so it doesn't inherit from `Object.prototype`, as regular JS objects do by default. ## Test code and steps to reproduce Couldn't find a test case that I could base on to demonstrate how this could present a risk. An example of the problem caused by using an object inheriting from `Object.prototype` can be demonstrated by the following line (corresponding to the `startAnimationForTag` function): ```js const style = configs[tag][type](yogaValues); ``` If both `tag` and `type` had the value `constructor`, style would have the result of evaluating `configs.constructor.constructor(yogaValues)`, which in many platforms would be the same as `new Function(yogaValues)`. This could potentially be used to create functions with malicious code. Although I suspect the conditions to make this work would be hard to achieve, it's probably better to get rid of this potential threat by using null prototypes. ## Checklist - [ ] Included code example that can be used to test this change - [ ] Updated TS types - [ ] Added TS types tests - [ ] Added unit / integration tests - [ ] Updated documentation - [ ] Ensured that CI passes --- src/reanimated2/layoutReanimation/LayoutAnimationRepository.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/reanimated2/layoutReanimation/LayoutAnimationRepository.ts b/src/reanimated2/layoutReanimation/LayoutAnimationRepository.ts index acd411859f6..4a8f9c0e4ee 100644 --- a/src/reanimated2/layoutReanimation/LayoutAnimationRepository.ts +++ b/src/reanimated2/layoutReanimation/LayoutAnimationRepository.ts @@ -7,7 +7,7 @@ import { processColor } from '../Colors'; runOnUI(() => { 'worklet'; - const configs: Record = {}; + const configs: Record = Object.create(null); const enteringAnimationForTag: Record = {}; global.LayoutAnimationRepository = {