Object.assign interaction with __proto__ field.

# Mike Samuel (6 years ago)

Might it be a spec bug that in the below, o's prototype changes, and o.x !== b.x?

const a = makeIntercepter(); const b = { x: 1 }; const o = Object.assign( {}, a, b);

console.log(o is plain Object: ${ Object.getPrototypeOf(o) === Object.prototype });

console.log(b.x=${ b.x }, o.x=${ o.x });

function makeIntercepter() { return JSON.parse( // Get an object that has an actual "proto" property. '{ "proto": {} }', // Replace the proto property's value with one that // traps assignment to x. (key, value) => ( (key === 'proto') ? { set x(v) { console.log(intercepted ${ v }); }, get x() { return 2; }, } : value)); }

In modern Chrome, Firefox, Safari I get intercepted 1 getPrototypeOf(o)===Object.prototype: false b.x=1, o.x=2

# Andrea Giammarchi (6 years ago)

same way Object.assign makes getters own properties, anything else special gets assigned right away, including Symbols.

This is a usually ignored gotta of the issue Object.assign could actually cause in the wild, specially with polyfills where WeakMap symbols assigned directly might be passed around.

I'm not sure __proto__ as key deserves any special treatment, compared to all other little gotchas, but FWIW I'm still for banning __proto__ from the language through 1 year of browsers warnings and a wide community involvement in getting rid of that little "bomb" ECMA kept in core.

NodeJS got bitten with query strings, developers loading user land JSON can get bitten with "__proto__": null and so on and so fort.

.

# Jordan Harband (6 years ago)

You don't need JSON.parse there - see Object.getPrototypeOf({ ['__proto__']: null }) !== null.

# Claude Pache (6 years ago)

Le 26 sept. 2018 à 16:27, Mike Samuel <mikesamuel at gmail.com> a écrit :

Might it be a spec bug that in the below, o's prototype changes, and o.x !== b.x?

const a = makeIntercepter(); const b = { x: 1 }; const o = Object.assign( {}, a, b);

console.log(o is plain Object: ${ Object.getPrototypeOf(o) === Object.prototype });

console.log(b.x=${ b.x }, o.x=${ o.x });

function makeIntercepter() { return JSON.parse( // Get an object that has an actual "proto" property. '{ "proto": {} }', // Replace the proto property's value with one that // traps assignment to x. (key, value) => ( (key === 'proto') ? { set x(v) { console.log(intercepted ${ v }); }, get x() { return 2; }, } : value)); }

In modern Chrome, Firefox, Safari I get intercepted 1 getPrototypeOf(o)===Object.prototype: false b.x=1, o.x=2


es-discuss mailing list es-discuss at mozilla.org, mail.mozilla.org/listinfo/es-discuss, mail.mozilla.org/listinfo/es-discuss

🤦 It’s not a bug. But you definitely convinced me to add delete Object.prototype.__proto__ at the top of my JS.