fix: revert breaking change in results creation

Author: wellwelwel

lib/helpers.js

@@ -16,7 +16,7 @@
   */
 function srcEscape(str) {
   return JSON.stringify({
-    [str]: 1
+    [str]: 1,
   }).slice(1, -3);
 }
 
@@ -29,7 +29,7 @@ try {
   const REQUIRE_TERMINATOR = '';
   highlightFn = require(`cardinal${REQUIRE_TERMINATOR}`).highlight;
 } catch (err) {
-  highlightFn = text => {
+  highlightFn = (text) => {
     if (!cardinalRecommended) {
       // eslint-disable-next-line no-console
       console.log('For nicer debug output consider install cardinal@^2.0.0');
@@ -56,10 +56,44 @@ exports.printDebugWithCode = printDebugWithCode;
  */
 function typeMatch(type, list, Types) {
   if (Array.isArray(list)) {
-    return list.some(t => type === Types[t]);
+    return list.some((t) => type === Types[t]);
   }
 
   return !!list;
 }
 
 exports.typeMatch = typeMatch;
+
+function createSafeObject() {
+  const nativeProps = ['hasOwnProperty', 'toString', 'valueOf'];
+
+  const handler = {
+    get(_, prop, receiver) {
+      const isNativeProp = nativeProps.includes(prop);
+
+      if (isNativeProp) {
+        return (...args) => Object.prototype[prop].apply(receiver, args);
+      }
+
+      if (prop === '__proto__') {
+        return Object.prototype;
+      }
+
+      return Reflect.get(...arguments);
+    },
+    set(_, prop) {
+      const isNativeProp = nativeProps.includes(prop);
+
+      if (isNativeProp || prop === '__proto__') {
+        return false;
+      }
+
+      return Reflect.set(...arguments);
+    },
+  };
+
+  const safePrototype = Object.create(Object.prototype);
+  return new Proxy(safePrototype, handler);
+}
+
+exports.createSafeObject = createSafeObject;

lib/parsers/binary_parser.js

@@ -122,13 +122,7 @@ function compile(fields, options, config) {
   if (options.rowsAsArray) {
     parserFn(`const result = new Array(${fields.length});`);
   } else {
-    parserFn('const result = Object.create(null);');
-    parserFn(`Object.defineProperty(result, "constructor", {
-      value: Object.create(null),
-      writable: false,
-      configurable: false,
-      enumerable: false
-    });`);
+    parserFn('const result = createSafeObject();');
   }
 
   // Global typeCast
@@ -161,7 +155,7 @@ function compile(fields, options, config) {
     } else if (options.nestTables === true) {
       tableName = helpers.srcEscape(fields[i].table);
       parserFn(
-        `if (!result[${tableName}]) result[${tableName}] = Object.create(null);`,
+        `if (!result[${tableName}]) result[${tableName}] = createSafeObject();`,
       );
       lvalue = `result[${tableName}][${fieldName}]`;
     } else if (options.rowsAsArray) {
@@ -207,7 +201,10 @@ function compile(fields, options, config) {
       parserFn.toString(),
     );
   }
-  return parserFn.toFunction({ wrap });
+  return parserFn.toFunction({
+    wrap,
+    createSafeObject: helpers.createSafeObject,
+  });
 }
 
 function getBinaryParser(fields, options, config) {

lib/parsers/text_parser.js

@@ -131,13 +131,7 @@ function compile(fields, options, config) {
   if (options.rowsAsArray) {
     parserFn(`const result = new Array(${fields.length});`);
   } else {
-    parserFn('const result = Object.create(null);');
-    parserFn(`Object.defineProperty(result, "constructor", {
-      value: Object.create(null),
-      writable: false,
-      configurable: false,
-      enumerable: false
-    });`);
+    parserFn('const result = createSafeObject();');
   }
 
   const resultTables = {};
@@ -150,7 +144,7 @@ function compile(fields, options, config) {
     resultTablesArray = Object.keys(resultTables);
     for (let i = 0; i < resultTablesArray.length; i++) {
       parserFn(
-        `result[${helpers.srcEscape(resultTablesArray[i])}] = Object.create(null);`,
+        `result[${helpers.srcEscape(resultTablesArray[i])}] = createSafeObject();`,
       );
     }
   }
@@ -203,9 +197,12 @@ function compile(fields, options, config) {
     );
   }
   if (typeof options.typeCast === 'function') {
-    return parserFn.toFunction({ wrap });
+    return parserFn.toFunction({
+      wrap,
+      createSafeObject: helpers.createSafeObject,
+    });
   }
-  return parserFn.toFunction();
+  return parserFn.toFunction({ createSafeObject: helpers.createSafeObject });
 }
 
 function getTextParser(fields, options, config) {

test/esm/unit/helpers/create-safe-object.test.mjs

@@ -0,0 +1,20 @@
+import { describe, assert } from 'poku';
+import { describeOptions } from '../../../common.test.cjs';
+import { createSafeObject } from '../../../../lib/helpers.js';
+
+describe('Creating a safe object', describeOptions);
+
+const stdObj = {};
+const safeObj = createSafeObject();
+
+assert.deepStrictEqual(stdObj, safeObj, 'Ensure __proto__ is immutable');
+assert.throws(() => {
+  safeObj.__proto__ = { toString: () => true };
+}, 'Ensure safeObject is valid');
+
+stdObj.__proto__ = { toString: () => true };
+assert.notDeepStrictEqual(
+  stdObj,
+  safeObj,
+  'Ensure that the object is not the same as the poisoned __proto__',
+);

test/esm/unit/parsers/prototype-binary-results.test.mjs

@@ -7,32 +7,23 @@ describe('Binary Parser: Prototype Sanitization', describeOptions);
 
 Promise.all([
   test(async () => {
-    const expected = [{}];
-    expected[0].test = 2;
-
-    const [results] = await connection.query('SELECT 1+1 AS `test`');
-
-    assert.notDeepStrictEqual(
-      results,
-      expected,
-      `Ensure "results" doesn't contain a standard object ({})`,
-    );
-  }),
-  test(async () => {
-    const expected = [Object.create(null)];
-    expected[0].test = 2;
+    const expected = [
+      {
+        test: 2,
+      },
+    ];
 
     const [results] = await connection.execute('SELECT 1+1 AS `test`');
 
     assert.deepStrictEqual(results, expected, 'Ensure clean object "results"');
-    assert.strictEqual(
-      Object.getPrototypeOf(results[0]),
-      null,
+    assert.deepStrictEqual(
+      JSON.stringify(Object.getPrototypeOf(results[0])),
+      JSON.stringify({}),
       'Ensure clean properties in results items',
     );
     assert.strictEqual(
       typeof results[0].toString,
-      'undefined',
+      'function',
       'Re-check prototypes (manually) in results columns',
     );
     assert.strictEqual(

test/esm/unit/parsers/prototype-text-results.test.mjs

@@ -3,36 +3,27 @@ import { createConnection, describeOptions } from '../../../common.test.cjs';
 
 const connection = createConnection().promise();
 
-describe('Text Parser: Prototype Sanitization', describeOptions);
+describe('Binary Parser: Prototype Sanitization', describeOptions);
 
 Promise.all([
   test(async () => {
-    const expected = [{}];
-    expected[0].test = 2;
-
-    const [results] = await connection.query('SELECT 1+1 AS `test`');
-
-    assert.notDeepStrictEqual(
-      results,
-      expected,
-      `Ensure "results" doesn't contain a standard object ({})`,
-    );
-  }),
-  test(async () => {
-    const expected = [Object.create(null)];
-    expected[0].test = 2;
+    const expected = [
+      {
+        test: 2,
+      },
+    ];
 
     const [results] = await connection.query('SELECT 1+1 AS `test`');
 
     assert.deepStrictEqual(results, expected, 'Ensure clean object "results"');
-    assert.strictEqual(
-      Object.getPrototypeOf(results[0]),
-      null,
+    assert.deepStrictEqual(
+      JSON.stringify(Object.getPrototypeOf(results[0])),
+      JSON.stringify({}),
       'Ensure clean properties in results items',
     );
     assert.strictEqual(
       typeof results[0].toString,
-      'undefined',
+      'function',
       'Re-check prototypes (manually) in results columns',
     );
     assert.strictEqual(