Merge pull request #907 from postmanlabs/feature/fix-prepareStackTrace

codenirvana · web-flow · commit 04ef1d3a718b · 2023-04-10T21:58:33.000+05:30
Defined custom Error.prepareStackTrace
diff --git a/CHANGELOG.yaml b/CHANGELOG.yaml
@@ -1,3 +1,7 @@
+unreleased:
+  fixed bugs:
+    - GH-907 Defined `Error.prepareStackTrace` to prevent stack trace pollution
+
 4.2.4:
   date: 2023-03-10
   fixed bugs:
diff --git a/lib/sandbox/index.js b/lib/sandbox/index.js
@@ -54,6 +54,22 @@
         // @note this deletes the constructor as well to make sure one can't recreate the same scope
         contextObject = Object.getPrototypeOf(contextObject);
     } while (contextObject && contextObject.constructor !== Object);
+
+    // define custom Error.prepareStackTrace
+    Object.defineProperty(Error, 'prepareStackTrace', {
+        value: function (error, structuredStackTrace) {
+            const errorString = String(error);
+
+            if (Array.isArray(structuredStackTrace) && structuredStackTrace.length) {
+                return `${errorString}\n    at ${structuredStackTrace.join('\n    at ')}`;
+            }
+
+            return errorString;
+        },
+        configurable: false,
+        enumerable: false,
+        writable: false
+    });
 }());
 
 // do include json purse
diff --git a/test/unit/sandbox-sanity.test.js b/test/unit/sandbox-sanity.test.js
@@ -57,6 +57,24 @@ describe('sandbox', function () {
         });
     });
 
+    it('should not be able to mutate Error.prepareStackTrace', function (done) {
+        Sandbox.createContext(function (err, ctx) {
+            if (err) { return done(err); }
+            ctx.on('error', done);
+
+            ctx.execute(`
+                var assert = require('assert');
+                var fn = Error.prepareStackTrace;
+
+                Error.prepareStackTrace = () => {};
+                assert.equal(Error.prepareStackTrace, fn);
+
+                var err = new Error('Test');
+                assert.equal(err.stack.split('\\n')[0], 'Error: Test');
+            `, done);
+        });
+    });
+
     it('should not have access to global properties', function (done) {
         Sandbox.createContext({ debug: true }, function (err, ctx) {
             if (err) { return done(err); }
