Important: This documentation covers Yarn 1 (Classic).
For Yarn 2+ docs and migration guide, see yarnpkg.com.

Package detail

@fast-check/poisoning

dubzzz81MIT0.2.2TypeScript support: included

Set of utilities to ease detection and revert of poisoning

poisoning, cve, prototype, detection, fast-check

readme

@fast-check/poisoning

fast-check logo

Set of utilities to ease detection and revert of poisoning

npm version monthly downloads License

Why?

In JavaScript, "prototype poisoning" is one of the most common source for CVEs or zero days. It allows attackers to change the behaviour of some defaults like Array.prototype.map, Map, Set... so that they behave differently and can be leveraged for evil stuffs. This package can be used in addition to fast-check in order to detect poisoning that may occur during your property based tests.

Easy to use

The package comes with:

  • assertNoPoisoning: assert that the defaults known when first importing the package in your code have not been changed
  • restoreGlobals: restore the defaults so that any change that could have been detected by assertNoPoisoning will be resolved

Minimal requirements

  • Node ≥12.17.0

changelog

0.2.2

Rework our testing stack [Code][Diff]

Fixes

0.2.1

Export missing types [Code][Diff]

Fixes

  • (PR#5202) Refactor: Add missing types on exported

0.2.0

Declare root of the package as ESM [Code][Diff]

Breaking changes

  • (PR#4584) CI: Move build chain to ESM

Fixes

  • (PR#4602) CI: Migrate jest to esm

0.1.0

Lighter import with less internals to load [Code][Diff]

Features

  • (PR#4421) Prefer "import type" over raw "import"

Fixes

  • (PR#4286) Test: Confirm basic typings work well

0.0.8

Better support for types on ESM targets [Code][Diff]

Fixes

  • (PR#4176) Bug: Better declare ESM's types
  • (PR#4033) Tooling: Update formatting

0.0.7

Add logo on the README [Code][Diff]

Fixes

  • (PR#3873) Doc: Add poisoning logo url

0.0.6

Attach provenance to the packages [Code][Diff]

Fixes

  • (PR#3774) Security: Attach provenance to the packages

0.0.5

Add support for Node 18 [Code][Diff]

Fixes

  • (PR#3421) Bug: Switch from descriptors to descriptor for Node 18
  • (PR#3473) Funding: Re-order links in funding section

0.0.4

Properly define types for TypeScript [Code][Diff]

Fixes

  • (PR#3387) Bug: Fix types not being properly exported for ESM

0.0.3

Faster computation of diffs when filters apply [Code][Diff]

Features

  • (PR#3318) Do not recompute ignore globals for attributes

Fixes

  • (PR#3316) Funding: Add link to GitHub sponsors in funding
  • (PR#3317) Performance: Faster diff tracking with pre-filtering of uneligible

0.0.2

Add ability to omit some instances when checking for poisoning [Code][Diff]

Features

  • (PR#3160) Adopt shorter names for labels of globals
  • (PR#3176) Do not track private globals
  • (PR#3198) Add ability to ignore some roots
  • (PR#3199) Also track roots starting by "_"

Fixes

  • (PR#3188) Bug: Compute smallest depth for each global
  • (PR#3193) Bug: Even more resiliency against poisoning
  • (PR#3195) Refactor: Keep track of root ancestors
  • (PR#3213) Script: Factorize production tsconfig.json
  • (PR#3095) Test: Test against direct updates of globals
  • (PR#3159) Test: Check captured name for globals

0.0.1

First experimental release of @fast-check/poisoning [Code]