fix(security): 2 improvements across 2 files#1681
Conversation
* Fix package-lock file * Docs: remove CodeSandbox embedded demos and add links to working exa,ples in Stackblitz (handsontable#1621)
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Low Risk** > Low risk documentation-only changes: adds new guide pages and adjusts VuePress sidebar navigation with no runtime or API impact. > > **Overview** > Adds three new AI-focused documentation pages: `ai-sdk`, `integration-with-langchain`, and `mcp-server`, describing how to use HyperFormula for deterministic spreadsheet computation in agent workflows. > > Updates the VuePress guide sidebar to surface these pages under **Integrations**, renames the section from *Framework integration* to *Integrations*, and moves the former *Overview* links into a new *About* section. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 54c541b. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: GreenFlux <support@greenflux.us> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
- Security: Potential Prototype Pollution in objectDestroy - Security: Unsafe Regular Expression Construction in NumberLiteralHelper Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
- Security: Potential Prototype Pollution in objectDestroy - Security: Unsafe Regular Expression Construction in NumberLiteralHelper Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
✅ Deploy Preview for hyperformula-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit fd8eb55. Configure here.
| for (const key of Object.keys(object)) { | ||
| if (!Object.prototype.hasOwnProperty.call(object, key)) { | ||
| continue | ||
| } |
There was a problem hiding this comment.
Redundant hasOwnProperty check after Object.keys
Low Severity
The hasOwnProperty guard is redundant here because Object.keys() already returns only an object's own enumerable properties by specification. The condition !Object.prototype.hasOwnProperty.call(object, key) can never be true for keys returned by Object.keys(object), making this a dead branch that adds unnecessary complexity without any protective benefit.
Reviewed by Cursor Bugbot for commit fd8eb55. Configure here.
|
Hi @tomaioo Thank you very much for taking the time to propose a solution. Could you please also sign our CLA? Without the signature, we won't be able to merge the code. |
✅ Deploy Preview for hyperformula-dev-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
@tomaioo Thank you for contributing to the HyperFormula project. We found your suggestions valuable, and we'd like to include them in the next HF release. But for legal reasons, we cannot use your code unless you sign our CLA: https://docs.google.com/forms/d/e/1FAIpQLScpMq4swMelvw3-onxC8Jl29m0fVp5hpf7d1yQVklqVjGjWGA/viewform?c=0&w=1 |
3 participants
Summary
fix(security): 2 improvements across 2 files
Problem
Severity:
Medium| File:src/Destroy.ts:L6The
objectDestroyfunction iterates over all object entries and deletes properties or replaces methods. If this function is ever called with an object that has a prototype chain, or ifObject.entriesincludes inherited properties (though it doesn't by default), this could lead to unexpected behavior. More critically, the function acceptsanytype and doesn't validate the input, which could cause issues if called with null/undefined or non-object types.Solution
Add input validation to ensure
objectis a non-null object. Consider usingObject.keysinstead ofObject.entriesfor better control, and explicitly checkhasOwnPropertyto avoid touching prototype properties.Changes
src/Destroy.ts(modified)src/NumberLiteralHelper.ts(modified)Note
Low Risk
Small defensive changes to destroy teardown and config-driven regex construction; behavior for normal HyperFormula instances and typical separators should be unchanged.
Overview
Hardens instance teardown and numeric literal parsing against unsafe inputs and regex injection.
objectDestroynow no-ops onnulland non-objects, walks only own keys viaObject.keys+hasOwnProperty, and drops redundant casts—soHyperFormula.destroy()is less likely to throw or touch unexpected properties on odd inputs.NumberLiteralHelperbuilds separator patterns with a fullescapeRegexhelper instead of special-casing.only, so arbitrarythousandSeparator/decimalSeparatorconfig values cannot break or subvert the number-matching regex.Reviewed by Cursor Bugbot for commit 0589d32. Bugbot is set up for automated code reviews on this repo. Configure here.