mirror of
https://github.com/RGBCube/serenity
synced 2025-07-26 07:47:37 +00:00
LibJS: Guard against stack overflow in ProxyObject has_property()
If proxy has an undefined trap, it will fallback to target's internal_has_property, which will then check target's prototype for the requested property. If Proxy's prototype is set to the Proxy itself, it will check in itself in a loop, causing a stack overflow.
This commit is contained in:
parent
e7502d4d6d
commit
52a5a42147
2 changed files with 30 additions and 0 deletions
|
@ -85,3 +85,20 @@ describe("[[Has]] invariants", () => {
|
|||
);
|
||||
});
|
||||
});
|
||||
|
||||
test("Proxy handler that has the Proxy itself as its prototype", () => {
|
||||
const handler = {};
|
||||
const proxy = new Proxy({}, handler);
|
||||
handler.__proto__ = proxy;
|
||||
expect(() => {
|
||||
"foo" in proxy;
|
||||
}).toThrowWithMessage(InternalError, "Call stack size limit exceeded");
|
||||
});
|
||||
|
||||
test("Proxy that has the Proxy itself as its prototype", () => {
|
||||
const proxy = new Proxy({}, {});
|
||||
proxy.__proto__ = Object.create(proxy);
|
||||
expect(() => {
|
||||
"foo" in proxy;
|
||||
}).toThrowWithMessage(InternalError, "Call stack size limit exceeded");
|
||||
});
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue