lib: harden kKeyOps lookup with null prototype

panva · web-flow · commit 1f6f3ac87166 · 2026-04-23T18:19:31.000Z
Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #62877 Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Jordan Harband <ljharb@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
diff --git a/lib/internal/crypto/util.js b/lib/internal/crypto/util.js
@@ -764,6 +764,7 @@ function getDigestSizeInBytes(name) {
 }
 
 const kKeyOps = {
+  __proto__: null,
   sign: 1,
   verify: 2,
   encrypt: 3,
diff --git a/test/parallel/test-webcrypto-util.js b/test/parallel/test-webcrypto-util.js
@@ -9,6 +9,7 @@ const assert = require('assert');
 
 const {
   normalizeAlgorithm,
+  validateKeyOps,
 } = require('internal/crypto/util');
 
 {
@@ -49,3 +50,12 @@ const {
   assert.strictEqual(normalized.name, 'ECDSA');
   assert.strictEqual(nameReadCount, 1);
 }
+
+{
+  for (const ops of [
+    ['sign', 'toString', 'constructor'],
+    ['sign', '__proto__', 'constructor'],
+  ]) {
+    validateKeyOps(ops);
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -764,6 +764,7 @@ function getDigestSizeInBytes(name) {`
`764`	`764`	`}`
`765`	`765`
`766`	`766`	`const kKeyOps = {`
	`767`	`+ __proto__: null,`
`767`	`768`	`sign: 1,`
`768`	`769`	`verify: 2,`
`769`	`770`	`encrypt: 3,`