Fix JSON.stringify() inherited array index bug

4 years ago · 1f2adabc1e
3 changed files with 16 additions and 1 deletions
--- a/releases/releases.yaml
+++ b/releases/releases.yaml
@ -1367,3 +1367,4 @@ duktape_releases:
    - "Fix pointer overflow in String.prototype.startsWith/endsWith() with certain arguments (GH-2320)"
    - "Fix assertion failure and incorrect behavior in some enumeration cases involving inherited duplicate keys (GH-2322)"
    - "Fix unstable pointer in 'putvar' which could trigger e.g. in a with(proxy) statement (GH-2323)"
+    - "Fix unsafe behavior in JSON.stringify() when replacer argument is an array and Array.prototype has inherited index properties (GH-2202, GH-2324)"
--- a/src-input/duk_bi_json.c
+++ b/src-input/duk_bi_json.c
@ -3021,7 +3021,7 @@ void duk_bi_json_stringify_helper(duk_hthread *thr,
 			duk_uarridx_t plist_idx = 0;
 			duk_small_uint_t enum_flags;

-			js_ctx->idx_proplist = duk_push_array(thr);  /* XXX: array internal? */
+			js_ctx->idx_proplist = duk_push_bare_array(thr);

 			enum_flags = DUK_ENUM_ARRAY_INDICES_ONLY |
 			             DUK_ENUM_SORT_ARRAY_INDICES;  /* expensive flag */
--- a/tests/ecmascript/test-bug-json-stringify-proplist-inherited-gh2202.js
+++ b/tests/ecmascript/test-bug-json-stringify-proplist-inherited-gh2202.js
@ -0,0 +1,14 @@
+// https://github.com/svaarala/duktape/issues/2202
+
+/*===
+A
+B
+{}
+done
+===*/
+
+print('A');
+Object.defineProperty(Array.prototype, 0, { set: function () { } })
+print('B');
+print(String(JSON.stringify({ }, [ 0, 0])));
+print('done');