-
-
Notifications
You must be signed in to change notification settings - Fork 625
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: revert breaking change in results creation #2591
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #2591 +/- ##
=======================================
Coverage 90.32% 90.32%
=======================================
Files 71 71
Lines 15717 15725 +8
Branches 1334 1339 +5
=======================================
+ Hits 14196 14204 +8
Misses 1521 1521
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Let's run some benchmarks before merging |
@sidorares, I rewrote the logic and description of this PR. Could you check again? 🙋🏻♂️ |
Basic benchmark: const arrayIncludes = (field) => {
console.time('Array.includes');
const privateObjectProps = [
'__defineGetter__',
'__defineSetter__',
'__lookupGetter__',
'__lookupSetter__',
'__proto__',
];
for (let i = 0; i < 1000000; i++) privateObjectProps.includes(field);
console.timeEnd('Array.includes');
};
const setHas = (field) => {
console.time('Set.has');
const privateObjectProps = new Set([
'__defineGetter__',
'__defineSetter__',
'__lookupGetter__',
'__lookupSetter__',
'__proto__',
]);
for (let i = 0; i < 1000000; i++) privateObjectProps.has(field);
console.timeEnd('Set.has');
};
for (let i = 0; i < 5; i++) arrayIncludes('field');
for (let i = 0; i < 5; i++) setHas('field'); Results:
Compatibility:
|
…ation (#2572) Fixes a potential RCE attack vulnerability reported by Vsevolod Kokorin (Slonser) of Solidlab
Bringing a comment here: 74abf9e#r140992502 🤝 |
Instead of checking the field name manually, we have some alternatives:
Also, if we consider the current solution, it's possible to return an empty object instead of throwing an error, as in mysqljs/mysql. |
Merging this. For a major release, I recommend reverting this PR and include a safer approach in docs, such as: Object.hasOwn(row, 'column'); |
thank you so much for the solution |
The previous solution (#2574) aimed to create a clean object, but it caused a major change.
Instead, I just grouped the object's private properties:
Then, it will perform a simple validation to ensure that the
fields[i].name
is safe:By this way, it's possible to:
prototype
after the query has been finished, they can