proto property of a Proxy wrapping an object not containing proto property behaves differently from expected that.

Question

proto property of a Proxy wrapping an object not containing proto property behaves differently from expected that.

kagesakura opened this issue 2 years ago · 2 comments

For instance, it is expected to return undefined, but null is returned.

const { VM } = require('vm2');

console.log(new VM().run('({ __proto__: null })').__proto__);
// output(VM): null

console.log({ __proto__: null }.__proto__);
// output(normal): undefined

Answer 1 · 2022-09-22T17:22:43.000Z

This is expected. In case the object does not have a __proto__ property VM emulates it even if there is a __proto__ property in the prototype chain or, as in your case there is none. The value of the __proto__ property in the chain does also not matter.

const { VM } = require('vm2');

console.log(new VM().run('({ __proto__: { __proto__: null, ["__proto__"]: 1 } })').__proto__);
// output(VM): [Object: null prototype] {}

console.log({ __proto__: { __proto__: null, ["__proto__"]: 1 } }.__proto__);
// output(normal): 1

This is done for a reason and will not be changed.

Answer 2 · 2022-09-22T17:32:03.000Z

Since scripts should not get access to prototypes. If they could it would be trivial to get the Function constructor and escape. Therefore __proto__ is handled specially and a sandboxed prototype is returned instead.