| ▲ | sublinear 7 hours ago | |
> Is this exploitable? No. ... JSON.stringify knows to skip the __proto__ field. ... However, refactors to the code could ... [cause] subtle incorrectness and sharp edge cases in your code base. So what? This line of what-if reasoning is so annoying especially when it's analysis for a language like javascript. There's no vulnerability found here and most web developers are well aware of the risky parts of the language. This is almost as bad as all the insane false positives SAST scans dump on you. Oh I'm just waiting to get dogpiled by people who want to tell me web devs are dumber than them and couldn't possibly be competent at anything. | ||
| ▲ | oncallthrow 3 hours ago | parent | next [-] | |
> most web developers are well aware of the risky parts of the language In my experience this really isn’t true. Most web developers I know are not familiar (enough) with prototype pollution. By the way, this isn’t because they are “dumb”. It’s the tool’s fault, not the craftsman’s, in this case. Prototype pollution is complicated and surprising | ||
| ▲ | yakshaving_jgt 4 hours ago | parent | prev | next [-] | |
> most web developers are well aware of the risky parts of the language I don't think this is true, and I think that's supported by the success of JavaScript: The Good Parts. It would be unfair to characterise a lack of comprehensive knowledge of JavaScript foot-guns as general incompetence. | ||
| ▲ | jgalt212 2 hours ago | parent | prev [-] | |
> insane false positives SAST scans dump on you Great LLM use case: Please explain to the box ticking person why these "insane false positives SAST" are false and / or of no consequence. | ||