Skip to content

adds the extracted @gadgetinc/core package#899

Draft
infiton wants to merge 1 commit intomainfrom
refactor-all-client-packages
Draft

adds the extracted @gadgetinc/core package#899
infiton wants to merge 1 commit intomainfrom
refactor-all-client-packages

Conversation

@infiton
Copy link
Contributor

@infiton infiton commented Oct 6, 2025

... a description that explains what, why, and how ...

PR Checklist

  • Important or complicated code is tested
  • Any user facing changes are documented in the Gadget-side changelog
  • Any immediate changes are slated for release in Gadget via a generated package dependency bump
  • Versions within this monorepo are matching and there's a valid upgrade path

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 6, 2025
View reviewed changes
packages/core/src/support.ts
for (const validationError of invalidRecordError.validationErrors) {
if (invalidRecordError.modelApiIdentifier) {
result[invalidRecordError.modelApiIdentifier] ??= {};
result[invalidRecordError.modelApiIdentifier][validationError.apiIdentifier] = { message: validationError.message };

Check warning

Code scanning / CodeQL

Prototype-polluting assignment Medium

This assignment may alter Object.prototype if a malicious '__proto__' string is injected from
library input
Loading
.

Copilot Autofix

AI 5 months ago

To fix this, we should prevent dangerous values ('__proto__', 'constructor', 'prototype') from ever being used as keys on plain objects. The best way, without changing existing functionality, is to add a check when assigning to result[invalidRecordError.modelApiIdentifier] (line 733) and, optionally, result[validationError.apiIdentifier] (line 735), to ensure that neither key is one of the dangerous reserved names. If encountered, we should skip that assignment and possibly log or collect as a separate error. This fix should be implemented directly in the loop in the formatErrorMessages function. No extra dependencies are required; the fix is a conditional check.

Suggested changeset 1
packages/core/src/support.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/core/src/support.ts b/packages/core/src/support.ts
--- a/packages/core/src/support.ts
+++ b/packages/core/src/support.ts
@@ -729,10 +729,19 @@
     const invalidRecordError = error as InvalidRecordError;
     for (const validationError of invalidRecordError.validationErrors) {
       if (invalidRecordError.modelApiIdentifier) {
-        result[invalidRecordError.modelApiIdentifier] ??= {};
-        result[invalidRecordError.modelApiIdentifier][validationError.apiIdentifier] = { message: validationError.message };
+        const key = invalidRecordError.modelApiIdentifier;
+        if (key !== "__proto__" && key !== "constructor" && key !== "prototype") {
+          result[key] ??= {};
+          const fieldKey = validationError.apiIdentifier;
+          if (fieldKey !== "__proto__" && fieldKey !== "constructor" && fieldKey !== "prototype") {
+            result[key][fieldKey] = { message: validationError.message };
+          }
+        }
       } else {
-        result[validationError.apiIdentifier] = { message: validationError.message };
+        const key = validationError.apiIdentifier;
+        if (key !== "__proto__" && key !== "constructor" && key !== "prototype") {
+          result[key] = { message: validationError.message };
+        }
       }
     }
   } else {
EOF
@@ -729,10 +729,19 @@
const invalidRecordError = error as InvalidRecordError;
for (const validationError of invalidRecordError.validationErrors) {
if (invalidRecordError.modelApiIdentifier) {
result[invalidRecordError.modelApiIdentifier] ??= {};
result[invalidRecordError.modelApiIdentifier][validationError.apiIdentifier] = { message: validationError.message };
const key = invalidRecordError.modelApiIdentifier;
if (key !== "__proto__" && key !== "constructor" && key !== "prototype") {
result[key] ??= {};
const fieldKey = validationError.apiIdentifier;
if (fieldKey !== "__proto__" && fieldKey !== "constructor" && fieldKey !== "prototype") {
result[key][fieldKey] = { message: validationError.message };
}
}
} else {
result[validationError.apiIdentifier] = { message: validationError.message };
const key = validationError.apiIdentifier;
if (key !== "__proto__" && key !== "constructor" && key !== "prototype") {
result[key] = { message: validationError.message };
}
}
}
} else {
Copilot is powered by AI and may make mistakes. Always verify output.
@infiton infiton force-pushed the refactor-all-client-packages branch from 398b20f to 73ecbd2 Compare October 6, 2025 13:57
@infiton infiton force-pushed the refactor-all-client-packages branch from 73ecbd2 to e716377 Compare October 6, 2025 17:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@infiton