00:08:24  * dbeveniusjoined
00:12:52  * dbeveniusquit (Ping timeout: 250 seconds)
01:07:27  * dbeveniusjoined
01:11:48  * dbeveniusquit (Ping timeout: 250 seconds)
01:20:54  * neo4joined
02:01:34  * dbeveniusjoined
02:05:58  * dbeveniusquit (Ping timeout: 250 seconds)
02:17:23  * dbeveniusjoined
02:21:51  * dbeveniusquit (Ping timeout: 246 seconds)
02:37:34  * dbeveniusjoined
02:42:02  * dbeveniusquit (Ping timeout: 255 seconds)
02:57:14  * dbeveniusjoined
03:01:45  * dbeveniusquit (Ping timeout: 246 seconds)
03:17:30  * dbeveniusjoined
03:22:14  * dbeveniusquit (Ping timeout: 250 seconds)
03:30:25  * dbeveniusjoined
03:48:00  * zsocwjoined
03:48:00  * zsocquit (Disconnected by services)
03:56:28  * zsocwquit (Ping timeout: 246 seconds)
04:00:33  <wawasho>names
04:00:49  <wawasho>oops :)
04:10:14  * dbeveniusquit (Remote host closed the connection)
04:10:29  * dbeveniusjoined
04:18:02  * not-an-aardvarkjoined
04:21:14  <not-an-aardvark>I'm asking with the expectation that we could never do it for compatibility reasons, but how much of the ecosystem would break if Node ran `delete Object.prototype.__proto__` as part of its bootstrapping code?
04:23:32  <not-an-aardvark>This would effectively prevent all "prototype pollution" attacks where some code forgets to account for `__proto__` in an untrusted object and gets tricked into modifying `Object.prototype`, or gets confused and sets the type of an object to something else. It also wouldn't violate the ES spec since `__proto__` is in Annex B and Node isn't a browser.
04:44:05  * howdoijoined
04:51:52  <ljharb>not-an-aardvark: most of annex b is pretty defacto required anyways, but i'm not sure about that one
04:52:21  <ljharb>not-an-aardvark: but also i think Object.prototype's [[Prototype]] is immutable now in the spec
04:53:01  <ljharb>not-an-aardvark: see https://tc39.github.io/ecma262/#sec-immutable-prototype-exotic-objects and https://tc39.github.io/ecma262/#sec-properties-of-the-object-prototype-object
04:53:09  <ljharb>not-an-aardvark: iow, all browsers, and node via v8, already will be doing that.
04:53:20  <not-an-aardvark>It's not possible to do `Object.setPrototypeOf(Object.prototype, something)` but you can still modify or delete properties of `Object.prototype` itself.
04:54:49  <ljharb>sure, but your suggestion wouldn't change that
04:55:06  <ljharb>many things rely on modifying Object.prototype
04:55:12  <ljharb>including es6-shim and core-js
04:55:26  <ljharb>any symbol sham has to modify Object.prototype, eg.
04:56:28  <not-an-aardvark>The thing it's trying to prevent is code that accesses a user-provided key on a user-provided object, then sets it to a user-provided value.
04:57:16  <ljharb>right but __proto__ is immutable per the spec
04:57:18  <not-an-aardvark>This works fine (and is common in deep-merge algorithms) unless the user-provided key is the string `__proto__`, in which case your application has a security vulnerability because network attackers can send JSON objects that modify `Object.prototype`.
04:57:18  <ljharb>that's the attack
04:57:34  <ljharb>hmm
04:57:55  <ljharb>i'm a bit confused
04:58:23  <ljharb>how does a vivified json object with a __proto__ of Object.prototype cause modification of Object.prototype?
04:59:03  <not-an-aardvark>So if I want to deep-merge the object `{}` with a user-provided object, and the user provides `JSON.parse('{"__proto__": {"foo": "bar"}}')`
04:59:36  <not-an-aardvark>Then my deep-merge function might access the `__proto__` property of `{}`, and add a `foo` property on the result with the value `bar`.
04:59:43  <ljharb>aha, right
04:59:55  <ljharb>lol i've fixed this CVE in like 4 libraries, i just spaced it
04:59:57  <not-an-aardvark>(Lodash had this problem a few months ago, also see https://hackerone.com/reports/310443 )
05:00:19  <ljharb>ok so, how would `delete Object.prototype.__proto__` fix that?
05:00:41  <not-an-aardvark>Then when you access the `__proto__` property of `{}`, you get undefined rather than `Object.prototype`
05:01:09  <ljharb>i don't think that's true
05:01:25  <ljharb>`Object.prototype.__proto__` is the [[Prototype]] of Object.prototype itself, and it's null
05:01:32  <not-an-aardvark>`Object.prototype.__proto__` is a getter that calls `Object.getPrototypeOf(this)`.
05:01:37  <ljharb>O.o
05:01:53  <ljharb>wow, ok, i did not realize that
05:02:12  <ljharb>so it is https://tc39.github.io/ecma262/#sec-object.prototype.__proto__
05:02:15  <ljharb>annex b strikes again
05:02:28  <ljharb>in that case i'm not sure what it'd break
05:02:33  <ljharb>but i imagine if browsers can't do it, node can't.
05:02:40  <ljharb>(due to code relying on it)
05:03:41  <not-an-aardvark>That's also my suspicion, but I wonder how common it is in practice.
05:04:14  <not-an-aardvark>Like even if Node can't do it, if it doesn't break too many libraries then applications could start doing it to protect themselves from that attack.
05:05:06  <ljharb>i mean, also they could avoid deep merging :-p
05:06:38  <not-an-aardvark>Sure, but deep merging is sometimes useful and not inherently a problem aside from issues with `Object.prototype`.
05:07:26  <ljharb>personally i find it to always be a code smell ¯\_(ツ)_/¯
05:07:41  <ljharb>despite the 2+ deep merging libs i maintain :-p
05:08:42  <not-an-aardvark>Regardless, if I have a ton of application code and I want to prevent prototype pollution, it's much easier to run `delete Object.prototype.__proto__` once then to audit all of the code to make sure that no deep merging happens anywhere or in any libraries.
05:11:22  <ljharb>true
05:11:34  <ljharb>but it's even easier to `Object.freeze(Object.prototype)` after loading your shims
05:11:50  <ljharb>and if you're worried about attacks, you'd lock down all the builtins after loading shims anyways
05:11:54  * dbeveniusquit (Remote host closed the connection)
05:16:44  <not-an-aardvark>Every application that receives untrusted user input should be worried about attacks, but I don't think many people lock down builtins or freeze `Object.prototype`. (A typical threat model would involve parsing untrusted input but not running untrusted code, in which case freezing builtins would be largely unnecessary outside of prototype pollution attack.)
05:17:41  <ljharb>sure, but the same people who freeze Object.prototype, or don't, will delete Object.prototype.__proto__, or not
05:19:22  <not-an-aardvark>...unless Node or someone's application framework deletes `Object.prototype.__proto__` for them, which may be more feasible than deleting `Object.prototype` because it doesn't violate the ES spec outside of browsers.
05:19:42  <ljharb>perhaps
05:30:24  <not-an-aardvark>Hmm, I guess deleting `Object.prototype.__proto__` might be insufficient because someone could do the same thing with `{}.constructor.prototype`.
06:02:21  * lpinjoined
06:37:00  * dbeveniusjoined
06:57:00  * dbeveniusquit (Remote host closed the connection)
07:17:05  * zedsjoined
07:17:12  * zedspart
07:40:27  <ljharb>MylesBorins: what more is needed on https://github.com/nodejs/node/pull/26210?
07:41:46  <MylesBorins>ljharb I kicked off CI
07:41:54  <MylesBorins>if it is green this can land tomorrow
07:42:39  <ljharb>yay ty
08:17:25  * not-an-aardvarkquit (Quit: Connection closed for inactivity)
08:20:05  * lundibundijoined
08:30:21  * lundibundiquit (Ping timeout: 244 seconds)
08:33:26  * dbeveniusjoined
08:51:10  * lundibundijoined
08:56:20  * neo4quit (Ping timeout: 250 seconds)
09:01:21  * lundibundiquit (Quit: WeeChat 2.4)
09:02:40  * lundibundijoined
09:14:23  * howdoiquit (Quit: Connection closed for inactivity)
09:16:04  <rvagg>need someone who isn't TSC, releaser or build to test ci.nodejs.org, can you get to it or have I locked it down properly
09:16:53  <richardlau>"Access Denied
09:16:53  <richardlau>richardlau is missing the Overall/Read permission"
09:17:04  <richardlau>I think you've got it :)
09:33:30  * sgimenojoined
10:15:05  * earlyquit (Quit: Leaving)
10:19:05  <rvagg>thanks richardlau!
10:21:06  * earlyjoined
10:52:14  * zedsjoined
10:52:21  * zedspart
11:29:15  * lundibundiquit (Ping timeout: 246 seconds)
11:40:41  * lundibundijoined
11:50:52  * gamelasterjoined
12:05:42  * gamelasterquit (Ping timeout: 250 seconds)
12:50:09  * AtumTjoined
13:35:54  * julianduquequit (Ping timeout: 255 seconds)
13:38:49  * julianduquejoined
13:43:32  * julianduquequit (Ping timeout: 255 seconds)
13:45:03  * lundibundiquit (Ping timeout: 246 seconds)
13:50:14  * lundibundijoined
13:59:11  <devsnek>why is the nodejs.dev example a gatsby site
13:59:24  <devsnek>Gatsby exists to run on cdns
14:01:35  <devsnek>oh it's how to serve the site itself nevermind
14:30:50  * qbitchanged nick to M-qbit
14:32:20  * M-qbitchanged nick to qbit
15:14:43  * qbitchanged nick to Guest1037
15:16:37  * Guest1037quit (Quit: WeeChat 2.3)
15:17:40  * lundibundiquit (Ping timeout: 250 seconds)
15:17:57  * qbitjoined
15:33:59  * dbeveniu_joined
15:33:59  * dbeveniusquit (Read error: Connection reset by peer)
15:42:44  * dbeveniu_quit (Remote host closed the connection)
15:50:07  * dbeveniusjoined
15:54:19  * dbeveniusquit (Ping timeout: 246 seconds)
16:05:31  <MylesBorins>devsnek what was confusing you?
16:05:54  <devsnek>MylesBorins: not once i got on a laptop lol
16:06:00  <MylesBorins>lol
16:06:34  <devsnek>i thought the readme in nodejs.dev was for an example of how to use node
16:06:47  <devsnek>because its the default gatsby readme with like "getting started" and whatnot
16:30:04  * dbeveniusjoined
16:31:56  * sgimenoquit (Quit: Leaving)
16:34:22  * dbeveniusquit (Ping timeout: 250 seconds)
17:14:30  * lundibundijoined
17:28:07  * dbeveniusjoined
17:29:31  * lundibundiquit (Ping timeout: 246 seconds)
17:31:43  * lundibundijoined
17:32:27  * dbeveniusquit (Ping timeout: 240 seconds)
17:50:07  * dbeveniusjoined
17:54:32  * dbeveniusquit (Ping timeout: 250 seconds)
18:08:10  * dbeveniusjoined
18:12:33  * dbeveniusquit (Ping timeout: 245 seconds)
18:18:21  * snoring_catjoined
18:39:10  * dbeveniusjoined
18:43:48  * dbeveniusquit (Ping timeout: 245 seconds)
18:51:18  * snoring_catpart
18:53:47  * lpinquit (Quit: Textual IRC Client: www.textualapp.com)
19:06:09  <ljharb>MylesBorins: so some of the CIs failed but i don't have perms to see why
19:06:25  <MylesBorins>CI is locked down for a security release rn
19:06:29  <MylesBorins>won't be open again until next week
19:08:04  <ljharb>ah right, k
19:08:14  * dbeveniusjoined
19:08:20  <ljharb>soooo are the failures something i need to fix tho, or flukes?
19:12:39  * dbeveniusquit (Ping timeout: 246 seconds)
19:27:15  * dbeveniusjoined
19:29:18  * dbeveniusquit (Remote host closed the connection)
19:29:28  * dbeveniusjoined
19:42:36  <Trott>ljharb: Give me the URL and I'll take a look and let you know.
19:42:58  <Trott>ljharb: Oh, I see, it's for https://github.com/nodejs/node/pull/26210?
19:44:23  <Trott>Looks build/infra related and pretty pervasive. Heading over to #node-build to see what's up....
19:46:08  <ljharb>yep
19:46:09  <ljharb>thanks!
19:46:28  * julianduquejoined
19:54:23  * lundibundiquit (Ping timeout: 268 seconds)
20:49:22  * dbeveniusquit (Remote host closed the connection)
20:55:24  * dbeveniusjoined
20:59:45  * dbeveniusquit (Ping timeout: 246 seconds)
21:09:55  * dbeveniusjoined
21:14:26  * dbeveniusquit (Ping timeout: 255 seconds)