Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| }; | ||
| this._history.push(historyEntry); | ||
|
|
||
| row[position.colIdx] = value; |
Check warning
Code scanning / CodeQL
Prototype-polluting assignment Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the issue, we need to ensure that the position parameter cannot introduce prototype pollution. This can be achieved by explicitly validating that position.rowIdx and position.colIdx are numeric indices and do not contain dangerous keys like __proto__, constructor, or prototype.
The best approach is to enhance the isValidPosition method (if it exists) or add explicit checks in the setCellValue method to reject invalid or dangerous keys. This ensures that the _data array is only accessed with safe indices.
| @@ -43,4 +43,10 @@ | ||
| setCellValue(position: ICellPosition, value: TValue): void { | ||
| if (!this.isValidPosition(position)) { | ||
| throw new Error(`Invalid cell position: row ${position.rowIdx}, column ${position.colIdx}`); | ||
| if ( | ||
| !this.isValidPosition(position) || | ||
| typeof position.rowIdx !== 'number' || | ||
| typeof position.colIdx !== 'number' || | ||
| ['__proto__', 'constructor', 'prototype'].includes(String(position.rowIdx)) || | ||
| ['__proto__', 'constructor', 'prototype'].includes(String(position.colIdx)) | ||
| ) { | ||
| throw new Error(`Invalid or unsafe cell position: row ${position.rowIdx}, column ${position.colIdx}`); | ||
| } |
SychevAndrey
left a comment
SychevAndrey
left a comment
There was a problem hiding this comment.
👍🏻
I like Mutex!
I'm not sure about nanoevents. We have built-in EventTarget, why to add something?
We definitely need to decide how we gonna write private methods/props, using private _method or #method.
2 participants
closes dbeaver/pro#5802