dubzzz
@fast-check/poisoning
Set of utilities to ease detection and revert of poisoning
Why?
In JavaScript, "prototype poisoning" is one of the most common source for CVEs or zero days. It allows attackers to change the behaviour of some defaults like Array.prototype.map, Map, Set... so that they behave differently and can be leveraged for evil stuffs. This package can be used in addition to fast-check in order to detect poisoning that may occur during your property based tests.
Easy to use
The package comes with:
assertNoPoisoning: assert that the defaults known when first importing the package in your code have not been changedrestoreGlobals: restore the defaults so that any change that could have been detected byassertNoPoisoningwill be resolved
Minimal requirements
- Node ≥12.17.0