From e55cbb3e3dbedc5c17d0f82ed5170b156199f52d Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Thu, 3 Feb 2022 02:01:22 +0100 Subject: [PATCH] Fix bug in debug node due to msg.hasOwnProperty construct `msg.hasOwnProperty("status")` might make the debug node crash/produce an error if the payload was created with `Object.create(null)`. This is the case e.g. for `ini` (to parse INI files), an official NPM node: https://github.com/npm/ini/blob/4f289946b3bf95f144e849d771f64e4f2aa2737c/lib/ini.js#L63 My Node-RED node `node-red-contrib-parser-ini`, which is using that library, was hit by this bug and I had to ship a workaround https://github.com/alexandrainst/node-red-contrib-parser-ini/blob/fe6b1eb4b18fd54459e2505b1c2f54eb0a9c9fec/parser-ini.js#L14 The `msg.hasOwnProperty("xxx")` construct should not be used since ECMAScript 5.1. ESLint advises in the same direction https://eslint.org/docs/rules/no-prototype-builtins This patch was produced using the following regex: Search: `\b([\w.]+).hasOwnProperty\(` Replace: `Object.prototype.hasOwnProperty.call($1, ` This could be applied more gobally if desired. --- .../@node-red/nodes/core/common/21-debug.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/packages/node_modules/@node-red/nodes/core/common/21-debug.js b/packages/node_modules/@node-red/nodes/core/common/21-debug.js index 73d364e43..c67a7d38b 100644 --- a/packages/node_modules/@node-red/nodes/core/common/21-debug.js +++ b/packages/node_modules/@node-red/nodes/core/common/21-debug.js @@ -107,7 +107,7 @@ module.exports = function(RED) { } }) this.on("input", function(msg, send, done) { - if (msg.hasOwnProperty("status") && msg.status.hasOwnProperty("source") && msg.status.source.hasOwnProperty("id") && (msg.status.source.id === node.id)) { + if (Object.prototype.hasOwnProperty.call(msg, "status") && Object.prototype.hasOwnProperty.call(msg.status, "source") && Object.prototype.hasOwnProperty.call(msg.status.source, "id") && (msg.status.source.id === node.id)) { done(); return; } @@ -118,17 +118,17 @@ module.exports = function(RED) { var st = (typeof output === 'string') ? output : util.inspect(output); var fill = "grey"; var shape = "dot"; - if (typeof output === 'object' && output.hasOwnProperty("fill") && output.hasOwnProperty("shape") && output.hasOwnProperty("text")) { + if (typeof output === 'object' && Object.prototype.hasOwnProperty.call(output, "fill") && Object.prototype.hasOwnProperty.call(output, "shape") && Object.prototype.hasOwnProperty.call(output, "text")) { fill = output.fill; shape = output.shape; st = output.text; } if (node.statusType === "auto") { - if (msg.hasOwnProperty("error")) { + if (Object.prototype.hasOwnProperty.call(msg, "error")) { fill = "red"; st = msg.error.message; } - if (msg.hasOwnProperty("status")) { + if (Object.prototype.hasOwnProperty.call(msg, "status")) { fill = msg.status.fill || "grey"; shape = msg.status.shape || "ring"; st = msg.status.text || ""; @@ -194,7 +194,7 @@ module.exports = function(RED) { function sendDebug(msg) { // don't put blank errors in sidebar (but do add to logs) - //if ((msg.msg === "") && (msg.hasOwnProperty("level")) && (msg.level === 20)) { return; } + //if ((msg.msg === "") && (Object.prototype.hasOwnProperty.call(msg, "level")) && (msg.level === 20)) { return; } msg = RED.util.encodeObject(msg,{maxLength:debuglength}); RED.comms.publish("debug",msg); }