lib: make validateObject less affected by prototype tampering

PR-URL: #42929
Reviewed-By: Tobias Nießen <[email protected]>

Author: aduh95

lib/internal/validators.js

@@ -10,6 +10,7 @@ const {
   NumberMAX_SAFE_INTEGER,
   NumberMIN_SAFE_INTEGER,
   NumberParseInt,
+  ObjectPrototypeHasOwnProperty,
   RegExpPrototypeExec,
   String,
   StringPrototypeToUpperCase,
@@ -150,6 +151,12 @@ function validateBoolean(value, name) {
     throw new ERR_INVALID_ARG_TYPE(name, 'boolean', value);
 }
 
+function getOwnPropertyValueOrDefault(options, key, defaultValue) {
+  return options == null || !ObjectPrototypeHasOwnProperty(options, key) ?
+    defaultValue :
+    options[key];
+}
+
 /**
  * @param {unknown} value
  * @param {string} name
@@ -161,10 +168,9 @@ function validateBoolean(value, name) {
  */
 const validateObject = hideStackFrames(
   (value, name, options) => {
-    const useDefaultOptions = options == null;
-    const allowArray = useDefaultOptions ? false : options.allowArray;
-    const allowFunction = useDefaultOptions ? false : options.allowFunction;
-    const nullable = useDefaultOptions ? false : options.nullable;
+    const allowArray = getOwnPropertyValueOrDefault(options, 'allowArray', false);
+    const allowFunction = getOwnPropertyValueOrDefault(options, 'allowFunction', false);
+    const nullable = getOwnPropertyValueOrDefault(options, 'nullable', false);
     if ((!nullable && value === null) ||
         (!allowArray && ArrayIsArray(value)) ||
         (typeof value !== 'object' && (

test/parallel/test-validators.js

@@ -105,6 +105,10 @@ const invalidArgValueError = {
 
 {
   // validateObject tests.
+  Object.prototype.nullable = true;
+  Object.prototype.allowArray = true;
+  Object.prototype.allowFunction = true;
+
   validateObject({}, 'foo');
   validateObject({ a: 42, b: 'foo' }, 'foo');
 
@@ -119,6 +123,15 @@ const invalidArgValueError = {
   validateObject(null, 'foo', { nullable: true });
   validateObject([], 'foo', { allowArray: true });
   validateObject(() => {}, 'foo', { allowFunction: true });
+
+  // validateObject should not be affected by Object.prototype tampering.
+  assert.throws(() => validateObject(null, 'foo', { allowArray: true }), invalidArgTypeError);
+  assert.throws(() => validateObject([], 'foo', { nullable: true }), invalidArgTypeError);
+  assert.throws(() => validateObject(() => {}, 'foo', { nullable: true }), invalidArgTypeError);
+
+  delete Object.prototype.nullable;
+  delete Object.prototype.allowArray;
+  delete Object.prototype.allowFunction;
 }
 
 {