LGTM-Alert Prototype pollution?
Uzlopak opened this issue · 2 comments
Uzlopak commented
Prerequisites
- I have written a descriptive issue title
- I have searched existing issues to ensure the issue has not already been raised
Issue
We should just check if this is a valid alert or not.
https://lgtm.com/projects/g/fastify/fast-json-stringify?mode=tree&ruleFocus=1513136283260
According to lgtm it was introduced with #504
mcollina commented
It's not a problem: https://github.com/fastify/fast-json-stringify#security
climba03003 commented
Even the alert itself should be false positive.
fjsCloned
is a symbol, not user provided string. It can never be __proto__
and trigger the problem described.