Remove Object.prototype.__proto__ (#4341)

cli/js/compiler.ts

@@ -400,6 +400,12 @@ function bootstrapWasmCompilerRuntime(): void {
   globalThis.onmessage = wasmCompilerOnMessage;
 }
 
+// Removes the `__proto__` for security reasons.  This intentionally makes
+// Deno non compliant with ECMA-262 Annex B.2.2.1
+//
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+delete (Object.prototype as any).__proto__;
+
 Object.defineProperties(globalThis, {
   bootstrapWasmCompilerRuntime: {
     value: bootstrapWasmCompilerRuntime,

cli/js/main.ts

@@ -2,6 +2,12 @@
 import { bootstrapMainRuntime } from "./runtime_main.ts";
 import { bootstrapWorkerRuntime } from "./runtime_worker.ts";
 
+// Removes the `__proto__` for security reasons.  This intentionally makes
+// Deno non compliant with ECMA-262 Annex B.2.2.1
+//
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+delete (Object.prototype as any).__proto__;
+
 Object.defineProperties(globalThis, {
   bootstrapMainRuntime: {
     value: bootstrapMainRuntime,

cli/tests/integration_tests.rs

@@ -1426,6 +1426,11 @@ itest!(fix_js_imports {
   output: "fix_js_imports.ts.out",
 });
 
+itest!(proto_exploit {
+  args: "run proto_exploit.js",
+  output: "proto_exploit.js.out",
+});
+
 #[test]
 fn cafile_fetch() {
   use deno::http_cache::url_to_filename;

cli/tests/proto_exploit.js

@@ -0,0 +1,5 @@
+const payload = `{ "__proto__": null }`;
+const obj = {};
+console.log("Before: " + obj);
+Object.assign(obj, JSON.parse(payload));
+console.log("After: " + obj);

cli/tests/proto_exploit.js.out

@@ -0,0 +1,2 @@
+Before: [object Object]
+After: [object Object]