Skip to content

Extract hooks #898

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Extract hooks #898

wants to merge 2 commits into from

Conversation

infiton
Copy link
Contributor

@infiton infiton commented Oct 4, 2025

... a description that explains what, why, and how ...

PR Checklist

  • Important or complicated code is tested
  • Any user facing changes are documented in the Gadget-side changelog
  • Any immediate changes are slated for release in Gadget via a generated package dependency bump
  • Versions within this monorepo are matching and there's a valid upgrade path

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 4, 2025
View reviewed changes
packages/utils/src/support.ts
if (key == "id" && shouldExtractId) {
newVariables.id = value;
} else {
newVariables[action.modelApiIdentifier][key] = value;

Check warning

Code scanning / CodeQL

Prototype-polluting assignment Medium

This assignment may alter Object.prototype if a malicious '__proto__' string is injected from
library input
Loading
.

Copilot Autofix

AI 1 day ago

To fix this prototype pollution risk, we need to prevent dangerous property names (e.g., __proto__, constructor, prototype) from being set as object keys on plain objects. The standard approaches are:

  • Sanitizing input keys: Check keys before assigning them, and reject or skip dangerous ones.
  • Using a prototype-less object: Replace {} with Object.create(null), which has no prototype, so polluting assignments are safe.
  • Using a Map: However, if consumers expect variables to be a plain object, the safest is to use a prototype-less object.

In this code, the critical region is the construction of newVariables (lines 279–291), especially the assignment of subkeys at line 289. Rather than {}, we should use Object.create(null) for newVariables[action.modelApiIdentifier], and ideally also for newVariables itself (though its keys come from trusted sources except possibly key == 'id').

Implementation steps:

  • On line 280, replace {} with Object.create(null).
  • Where keys are written (line 289), optionally add a check skipping dangerous keys, but using prototype-less objects is already sufficient.
  • This change is wholly within the shown code region.
  • No external imports are needed.
Suggested changeset 1
packages/utils/src/support.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/utils/src/support.ts b/packages/utils/src/support.ts
--- a/packages/utils/src/support.ts
+++ b/packages/utils/src/support.ts
@@ -277,7 +277,7 @@
       newVariables = variables;
     } else {
       newVariables = {
-        [action.modelApiIdentifier]: {},
+        [action.modelApiIdentifier]: Object.create(null),
       };
       for (const [key, value] of Object.entries(variables)) {
         if (action.paramOnlyVariables?.includes(key)) {
EOF
@@ -277,7 +277,7 @@
newVariables = variables;
} else {
newVariables = {
[action.modelApiIdentifier]: {},
[action.modelApiIdentifier]: Object.create(null),
};
for (const [key, value] of Object.entries(variables)) {
if (action.paramOnlyVariables?.includes(key)) {
Copilot is powered by AI and may make mistakes. Always verify output.
packages/utils/src/support.ts
for (const validationError of invalidRecordError.validationErrors) {
if (invalidRecordError.modelApiIdentifier) {
result[invalidRecordError.modelApiIdentifier] ??= {};
result[invalidRecordError.modelApiIdentifier][validationError.apiIdentifier] = { message: validationError.message };

Check warning

Code scanning / CodeQL

Prototype-polluting assignment Medium

This assignment may alter Object.prototype if a malicious '__proto__' string is injected from
library input
Loading
.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@infiton