tools: add ArrayPrototypeConcat to the list of primordials to avoid

Author: aduh95

lib/internal/bootstrap/node.js

@@ -56,8 +56,8 @@ setupPrepareStackTrace();
 
 const {
   Array,
-  ArrayPrototypeConcat,
   ArrayPrototypeFill,
+  ArrayPrototypePushApply,
   FunctionPrototypeCall,
   JSONParse,
   Number,
@@ -174,11 +174,11 @@ const rawMethods = internalBinding('process_methods');
 
   process.getActiveResourcesInfo = function() {
     const timerCounts = internalTimers.getTimerCounts();
-    return ArrayPrototypeConcat(
-      rawMethods._getActiveRequestsInfo(),
-      rawMethods._getActiveHandlesInfo(),
-      ArrayPrototypeFill(new Array(timerCounts.timeoutCount), 'Timeout'),
-      ArrayPrototypeFill(new Array(timerCounts.immediateCount), 'Immediate'));
+    const info = rawMethods._getActiveRequestsInfo();
+    ArrayPrototypePushApply(info, rawMethods._getActiveHandlesInfo());
+    ArrayPrototypePushApply(info, ArrayPrototypeFill(new Array(timerCounts.timeoutCount), 'Timeout'));
+    ArrayPrototypePushApply(info, ArrayPrototypeFill(new Array(timerCounts.immediateCount), 'Immediate'));
+    return info;
   };
 
   // TODO(joyeecheung): remove these

lib/internal/debugger/inspect.js

@@ -1,11 +1,11 @@
 'use strict';
 
 const {
-  ArrayPrototypeConcat,
   ArrayPrototypeForEach,
   ArrayPrototypeJoin,
   ArrayPrototypeMap,
   ArrayPrototypePop,
+  ArrayPrototypePushApply,
   ArrayPrototypeShift,
   ArrayPrototypeSlice,
   FunctionPrototypeBind,
@@ -85,9 +85,8 @@ const debugRegex = /Debugger listening on ws:\/\/\[?(.+?)\]?:(\d+)\//;
 async function runScript(script, scriptArgs, inspectHost, inspectPort,
                          childPrint) {
   await portIsFree(inspectHost, inspectPort);
-  const args = ArrayPrototypeConcat(
-    [`--inspect-brk=${inspectPort}`, script],
-    scriptArgs);
+  const args = [`--inspect-brk=${inspectPort}`, script];
+  ArrayPrototypePushApply(args, scriptArgs);
   const child = spawn(process.execPath, args);
   child.stdout.setEncoding('utf8');
   child.stderr.setEncoding('utf8');

lib/internal/main/print_help.js

@@ -31,6 +31,7 @@ for (const key of ObjectKeys(types))
 // Environment variables are parsed ad-hoc throughout the code base,
 // so we gather the documentation here.
 const { hasIntl, hasSmallICU, hasNodeOptions } = internalBinding('config');
+// eslint-disable-next-line node-core/avoid-prototype-pollution
 const envVars = new SafeMap(ArrayPrototypeConcat([
   ['FORCE_COLOR', { helpText: "when set to 'true', 1, 2, 3, or an empty " +
    'string causes NO_COLOR and NODE_DISABLE_COLORS to be ignored.' }],

lib/internal/modules/cjs/loader.js

@@ -23,7 +23,6 @@
 
 const {
   ArrayIsArray,
-  ArrayPrototypeConcat,
   ArrayPrototypeFilter,
   ArrayPrototypeIncludes,
   ArrayPrototypeIndexOf,
@@ -769,9 +768,12 @@ Module._resolveLookupPaths = function(request, parent) {
       StringPrototypeCharAt(request, 1) !== '/' &&
       (!isWindows || StringPrototypeCharAt(request, 1) !== '\\'))) {
 
-    let paths = modulePaths;
+    let paths;
     if (parent?.paths?.length) {
-      paths = ArrayPrototypeConcat(parent.paths, paths);
+      paths = ArrayPrototypeSlice(modulePaths);
+      ArrayPrototypeUnshiftApply(paths, parent.paths);
+    } else {
+      paths = modulePaths;
     }
 
     debug('looking for %j in %j', request, paths);

lib/internal/modules/esm/resolve.js

@@ -2,8 +2,8 @@
 
 const {
   ArrayIsArray,
-  ArrayPrototypeConcat,
   ArrayPrototypeJoin,
+  ArrayPrototypePush,
   ArrayPrototypeShift,
   JSONStringify,
   ObjectFreeze,
@@ -986,11 +986,11 @@ function throwIfUnsupportedURLScheme(parsed, experimentalNetworkImports) {
       )
     )
   ) {
-    throw new ERR_UNSUPPORTED_ESM_URL_SCHEME(parsed, ArrayPrototypeConcat(
-      'file',
-      'data',
-      experimentalNetworkImports ? ['https', 'http'] : [],
-    ));
+    const schemes = ['file', 'data'];
+    if (experimentalNetworkImports) {
+      ArrayPrototypePush(schemes, 'https', 'http');
+    }
+    throw new ERR_UNSUPPORTED_ESM_URL_SCHEME(parsed, schemes);
   }
 }
 

lib/internal/perf/observe.js

@@ -9,7 +9,6 @@ const {
   ArrayPrototypePushApply,
   ArrayPrototypeSlice,
   ArrayPrototypeSort,
-  ArrayPrototypeConcat,
   Error,
   MathMax,
   MathMin,
@@ -513,7 +512,10 @@ function filterBufferMapByNameAndType(name, type) {
     // Unrecognized type;
     return [];
   } else {
-    bufferList = ArrayPrototypeConcat(markEntryBuffer, measureEntryBuffer, resourceTimingBuffer);
+    bufferList = [];
+    ArrayPrototypePushApply(bufferList, markEntryBuffer);
+    ArrayPrototypePushApply(bufferList, measureEntryBuffer);
+    ArrayPrototypePushApply(bufferList, resourceTimingBuffer);
   }
   if (name !== undefined) {
     bufferList = ArrayPrototypeFilter(bufferList, (buffer) => buffer.name === name);

lib/internal/util/inspector.js

@@ -1,8 +1,8 @@
 'use strict';
 
 const {
-  ArrayPrototypeConcat,
   ArrayPrototypeSome,
+  ArrayPrototypePushApply,
   FunctionPrototypeBind,
   ObjectDefineProperty,
   ObjectKeys,
@@ -69,10 +69,9 @@ function installConsoleExtensions(commandLineApi) {
   const { makeRequireFunction } = require('internal/modules/cjs/helpers');
   const consoleAPIModule = new CJSModule('<inspector console>');
   const cwd = tryGetCwd();
-  consoleAPIModule.paths = ArrayPrototypeConcat(
-    CJSModule._nodeModulePaths(cwd),
-    CJSModule.globalPaths
-  );
+  consoleAPIModule.paths = [];
+  ArrayPrototypePushApply(consoleAPIModule.paths, CJSModule._nodeModulePaths(cwd));
+  ArrayPrototypePushApply(consoleAPIModule.paths, CJSModule.globalPaths);
   commandLineApi.require = makeRequireFunction(consoleAPIModule);
 }
 

lib/repl.js

@@ -43,7 +43,6 @@
 'use strict';
 
 const {
-  ArrayPrototypeConcat,
   ArrayPrototypeFilter,
   ArrayPrototypeFindIndex,
   ArrayPrototypeForEach,
@@ -52,6 +51,7 @@ const {
   ArrayPrototypeMap,
   ArrayPrototypePop,
   ArrayPrototypePush,
+  ArrayPrototypePushApply,
   ArrayPrototypeReverse,
   ArrayPrototypeShift,
   ArrayPrototypeSlice,
@@ -1332,7 +1332,9 @@ function complete(line, callback) {
       } else if (RegExpPrototypeExec(/^\.\.?\//, completeOn) !== null) {
         paths = [process.cwd()];
       } else {
-        paths = ArrayPrototypeConcat(module.paths, CJSModule.globalPaths);
+        paths = [];
+        ArrayPrototypePushApply(paths, module.paths);
+        ArrayPrototypePushApply(paths, CJSModule.globalPaths);
       }
 
       ArrayPrototypeForEach(paths, (dir) => {

test/parallel/test-eslint-avoid-prototype-pollution.js

@@ -295,5 +295,9 @@ new RuleTester({
         code: 'PromiseRace([])',
         errors: [{ message: /\bSafePromiseRace\b/ }]
       },
+      {
+        code: 'ArrayPrototypeConcat([])',
+        errors: [{ message: /\bisConcatSpreadable\b/ }]
+      },
     ]
   });

tools/eslint-rules/avoid-prototype-pollution.js

@@ -224,6 +224,14 @@ module.exports = {
           message: `Use Safe${node.callee.name} instead of ${node.callee.name}`,
         });
       },
+
+      [CallExpression('ArrayPrototypeConcat')](node) {
+        context.report({
+          node,
+          message: '%Array.prototype.concat% looks up `@@isConcatSpreadable` ' +
+                   'which can be subject to prototype pollution',
+        });
+      },
     };
   },
 };