1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-26 07:47:37 +00:00

LibJS: Guard against stack overflow in ProxyObject has_property()

If proxy has an undefined trap, it will fallback to target's
internal_has_property, which will then check target's prototype for
the requested property. If Proxy's prototype is set to the Proxy itself,
it will check in itself in a loop, causing a stack overflow.
This commit is contained in:
Maciej 2023-05-04 14:32:37 +02:00 committed by Tim Flynn
parent e7502d4d6d
commit 52a5a42147
2 changed files with 30 additions and 0 deletions

View file

@ -85,3 +85,20 @@ describe("[[Has]] invariants", () => {
);
});
});
test("Proxy handler that has the Proxy itself as its prototype", () => {
const handler = {};
const proxy = new Proxy({}, handler);
handler.__proto__ = proxy;
expect(() => {
"foo" in proxy;
}).toThrowWithMessage(InternalError, "Call stack size limit exceeded");
});
test("Proxy that has the Proxy itself as its prototype", () => {
const proxy = new Proxy({}, {});
proxy.__proto__ = Object.create(proxy);
expect(() => {
"foo" in proxy;
}).toThrowWithMessage(InternalError, "Call stack size limit exceeded");
});