lib: make Error objects instantiation less vulnerable to prototype pollution

lib/internal/assert/assertion_error.js

@@ -8,6 +8,7 @@ const {
   MathMax,
   ObjectCreate,
   ObjectDefineProperty,
+  ObjectDefineProperties,
   ObjectGetPrototypeOf,
   ObjectKeys,
   String,
@@ -26,6 +27,7 @@ const {
   validateObject,
 } = require('internal/validators');
 const { isErrorStackTraceLimitWritable } = require('internal/errors');
+const { assignOwnProperties } = require('internal/util/safe-property-assignment');
 
 
 const kReadableOperator = {
@@ -424,30 +426,42 @@ class AssertionError extends Error {
 
     if (isErrorStackTraceLimitWritable()) Error.stackTraceLimit = limit;
 
-    this.generatedMessage = !message;
-    ObjectDefineProperty(this, 'name', {
-      __proto__: null,
-      value: 'AssertionError [ERR_ASSERTION]',
-      enumerable: false,
-      writable: true,
-      configurable: true
+    ObjectDefineProperties(this, {
+      generatedMessage: {
+        __proto__: null,
+        value: !message,
+        enumerable: true,
+        writable: true,
+        configurable: true,
+      },
+      name: {
+        __proto__: null,
+        value: 'AssertionError [ERR_ASSERTION]',
+        enumerable: false,
+        writable: true,
+        configurable: true
+      },
+      code: {
+        __proto__: null,
+        value: 'ERR_ASSERTION',
+        enumerable: true,
+        writable: true,
+        configurable: true,
+      },
     });
-    this.code = 'ERR_ASSERTION';
     if (details) {
-      this.actual = undefined;
-      this.expected = undefined;
-      this.operator = undefined;
+      assignOwnProperties(this, { actual: undefined, expected: undefined, operator: undefined });
       for (let i = 0; i < details.length; i++) {
-        this['message ' + i] = details[i].message;
-        this['actual ' + i] = details[i].actual;
-        this['expected ' + i] = details[i].expected;
-        this['operator ' + i] = details[i].operator;
-        this['stack trace ' + i] = details[i].stack;
+        assignOwnProperties(this, {
+          ['message ' + i]: details[i].message,
+          ['actual ' + i]: details[i].actual,
+          ['expected ' + i]: details[i].expected,
+          ['operator ' + i]: details[i].operator,
+          ['stack trace ' + i]: details[i].stack,
+        });
       }
     } else {
-      this.actual = actual;
-      this.expected = expected;
-      this.operator = operator;
+      assignOwnProperties(this, { actual, expected, operator });
     }
     ErrorCaptureStackTrace(this, stackStartFn || stackStartFunction);
     // Create error message including the error code in the name.

lib/internal/errors.js

@@ -32,7 +32,7 @@ const {
   MathMax,
   Number,
   NumberIsInteger,
-  ObjectAssign,
+  ObjectCreate,
   ObjectDefineProperty,
   ObjectDefineProperties,
   ObjectIsExtensible,
@@ -59,12 +59,17 @@ const {
   URIError,
 } = primordials;
 
+const {
+  assignOwnProperties,
+  setOwnProperty,
+} = require('internal/util/safe-property-assignment');
+
 const kIsNodeError = Symbol('kIsNodeError');
 
 const isWindows = process.platform === 'win32';
 
 const messages = new SafeMap();
-const codes = {};
+const codes = ObjectCreate(null);
 
 const classRegExp = /^([A-Z][a-z0-9]*)+$/;
 // Sorted by a rough estimate on most frequently used entries.
@@ -161,7 +166,7 @@ const aggregateTwoErrors = hideStackFrames((innerError, outerError) => {
       outerError,
       innerError,
     ]), outerError.message);
-    err.code = outerError.code;
+    setOwnProperty(err, 'code', outerError.code);
     return err;
   }
   return innerError || outerError;
@@ -170,7 +175,7 @@ const aggregateTwoErrors = hideStackFrames((innerError, outerError) => {
 const aggregateErrors = hideStackFrames((errors, message, code) => {
   // eslint-disable-next-line no-restricted-syntax
   const err = new AggregateError(new SafeArrayIterator(errors), message);
-  err.code = errors[0]?.code;
+  setOwnProperty(err, 'code', errors[0]?.code);
   return err;
 });
 
@@ -249,8 +254,6 @@ class SystemError extends Error {
 
     captureLargerStackTrace(this);
 
-    this.code = key;
-
     ObjectDefineProperties(this, {
       [kIsNodeError]: {
         __proto__: null,
@@ -273,6 +276,13 @@ class SystemError extends Error {
         writable: true,
         configurable: true,
       },
+      code: {
+        __proto__: null,
+        value: key,
+        enumerable: true,
+        writable: true,
+        configurable: true,
+      },
       info: {
         __proto__: null,
         value: context,
@@ -397,7 +407,7 @@ function makeNodeErrorWithCode(Base, key) {
       },
     });
     captureLargerStackTrace(error);
-    error.code = key;
+    setOwnProperty(error, 'code', key);
     return error;
   };
 }
@@ -533,15 +543,15 @@ const uvException = hideStackFrames(function uvException(ctx) {
     if (prop === 'message' || prop === 'path' || prop === 'dest') {
       continue;
     }
-    err[prop] = ctx[prop];
+    setOwnProperty(err, prop, ctx[prop]);
   }
 
-  err.code = code;
+  setOwnProperty(err, 'code', code);
   if (path) {
-    err.path = path;
+    setOwnProperty(err, 'path', path);
   }
   if (dest) {
-    err.dest = dest;
+    setOwnProperty(err, 'dest', dest);
   }
 
   return captureLargerStackTrace(err);
@@ -578,12 +588,9 @@ const uvExceptionWithHostPort = hideStackFrames(
     // eslint-disable-next-line no-restricted-syntax
     const ex = new Error(`${message}${details}`);
     if (isErrorStackTraceLimitWritable()) Error.stackTraceLimit = tmpLimit;
-    ex.code = code;
-    ex.errno = err;
-    ex.syscall = syscall;
-    ex.address = address;
+    assignOwnProperties(ex, { code, errno: err, syscall, address });
     if (port) {
-      ex.port = port;
+      setOwnProperty(ex, 'port', port);
     }
 
     return captureLargerStackTrace(ex);
@@ -613,9 +620,7 @@ const errnoException = hideStackFrames(
     // eslint-disable-next-line no-restricted-syntax
     const ex = new Error(message);
     if (isErrorStackTraceLimitWritable()) Error.stackTraceLimit = tmpLimit;
-    ex.errno = err;
-    ex.code = code;
-    ex.syscall = syscall;
+    assignOwnProperties(ex, { errno: err, code, syscall });
 
     return captureLargerStackTrace(ex);
   });
@@ -657,12 +662,9 @@ const exceptionWithHostPort = hideStackFrames(
     // eslint-disable-next-line no-restricted-syntax
     const ex = new Error(`${syscall} ${code}${details}`);
     if (isErrorStackTraceLimitWritable()) Error.stackTraceLimit = tmpLimit;
-    ex.errno = err;
-    ex.code = code;
-    ex.syscall = syscall;
-    ex.address = address;
+    assignOwnProperties(ex, { errno: err, code, syscall, address });
     if (port) {
-      ex.port = port;
+      setOwnProperty(ex, 'port', port);
     }
 
     return captureLargerStackTrace(ex);
@@ -702,11 +704,9 @@ const dnsException = hideStackFrames(function(code, syscall, hostname) {
   // eslint-disable-next-line no-restricted-syntax
   const ex = new Error(message);
   if (isErrorStackTraceLimitWritable()) Error.stackTraceLimit = tmpLimit;
-  ex.errno = errno;
-  ex.code = code;
-  ex.syscall = syscall;
+  assignOwnProperties(ex, { errno, code, syscall });
   if (hostname) {
-    ex.hostname = hostname;
+    setOwnProperty(ex, 'hostname', hostname);
   }
 
   return captureLargerStackTrace(ex);
@@ -715,7 +715,7 @@ const dnsException = hideStackFrames(function(code, syscall, hostname) {
 function connResetException(msg) {
   // eslint-disable-next-line no-restricted-syntax
   const ex = new Error(msg);
-  ex.code = 'ECONNRESET';
+  setOwnProperty(ex, 'code', 'ECONNRESET');
   return ex;
 }
 
@@ -850,8 +850,7 @@ class AbortError extends Error {
       throw new codes.ERR_INVALID_ARG_TYPE('options', 'Object', options);
     }
     super(message, options);
-    this.code = 'ABORT_ERR';
-    this.name = 'AbortError';
+    assignOwnProperties(this, { code: 'ABORT_ERR', name: 'AbortError' });
   }
 }
 
@@ -865,7 +864,7 @@ class AbortError extends Error {
 const genericNodeError = hideStackFrames(function genericNodeError(message, errorProperties) {
   // eslint-disable-next-line no-restricted-syntax
   const err = new Error(message);
-  ObjectAssign(err, errorProperties);
+  assignOwnProperties(err, errorProperties);
   return err;
 });
 

lib/internal/event_target.js

@@ -67,6 +67,7 @@ const kIsNodeStyleListener = Symbol('kIsNodeStyleListener');
 const kTrustEvent = Symbol('kTrustEvent');
 
 const { now } = require('internal/perf/utils');
+const { assignOwnProperties } = require('internal/util/safe-property-assignment');
 
 const kType = Symbol('type');
 const kDetail = Symbol('detail');
@@ -516,10 +517,12 @@ class EventTarget {
                           `${size} ${type} listeners ` +
                           `added to ${inspect(this, { depth: -1 })}. Use ` +
                           'events.setMaxListeners() to increase limit');
-      w.name = 'MaxListenersExceededWarning';
-      w.target = this;
-      w.type = type;
-      w.count = size;
+      assignOwnProperties(w, {
+        name: 'MaxListenersExceededWarning',
+        target: this,
+        type,
+        count: size,
+      });
       process.emitWarning(w);
     }
   }
@@ -567,9 +570,11 @@ class EventTarget {
       // eslint-disable-next-line no-restricted-syntax
       const w = new Error(`addEventListener called with ${listener}` +
                           ' which has no effect.');
-      w.name = 'AddEventListenerArgumentTypeWarning';
-      w.target = this;
-      w.type = type;
+      assignOwnProperties(w, {
+        name: 'AddEventListenerArgumentTypeWarning',
+        target: this,
+        type: type,
+      });
       process.emitWarning(w);
       return;
     }

lib/internal/fs/promises.js

@@ -108,6 +108,7 @@ const { Interface } = require('internal/readline/interface');
 const {
   JSTransferable, kDeserialize, kTransfer, kTransferList
 } = require('internal/worker/js_transferable');
+const { assignOwnProperties } = require('internal/util/safe-property-assignment');
 
 const getDirectoryEntriesPromise = promisify(getDirents);
 const validateRmOptionsPromise = promisify(validateRmOptions);
@@ -372,8 +373,7 @@ async function fsCall(fn, handle, ...args) {
   if (handle.fd === -1) {
     // eslint-disable-next-line no-restricted-syntax
     const err = new Error('file closed');
-    err.code = 'EBADF';
-    err.syscall = fn.name;
+    assignOwnProperties(err, { code: 'EBADF', syscall: fn.name });
     throw err;
   }
 

lib/internal/http2/util.js

@@ -34,6 +34,7 @@ const {
   hideStackFrames,
   kIsNodeError,
 } = require('internal/errors');
+const { assignOwnProperties } = require('internal/util/safe-property-assignment');
 
 const kSensitiveHeaders = Symbol('nodejs.http2.sensitiveHeaders');
 const kSocket = Symbol('socket');
@@ -551,8 +552,10 @@ class NghttpError extends Error {
     super(customErrorCode ?
       getMessage(customErrorCode, [], null) :
       binding.nghttp2ErrorString(integerCode));
-    this.code = customErrorCode || 'ERR_HTTP2_ERROR';
-    this.errno = integerCode;
+    assignOwnProperties(this, {
+      code: customErrorCode || 'ERR_HTTP2_ERROR',
+      errno: integerCode,
+    });
     captureLargerStackTrace(this);
     ObjectDefineProperty(this, kIsNodeError, {
       __proto__: null,

lib/internal/main/mksnapshot.js

@@ -22,6 +22,7 @@ const {
 const {
   readFileSync
 } = require('fs');
+const { setOwnProperty } = require('internal/util/safe-property-assignment');
 
 const supportedModules = new SafeSet(new SafeArrayIterator([
   // '_http_agent',
@@ -100,7 +101,7 @@ function requireForUserSnapshot(id) {
     const err = new Error(
       `Cannot find module '${id}'. `
     );
-    err.code = 'MODULE_NOT_FOUND';
+    setOwnProperty(err, 'code', 'MODULE_NOT_FOUND');
     throw err;
   }
   if (!supportedInUserSnapshot(id)) {