Remove Object.prototype.__proto__

[kitsonk]

Fixes #4324

This PR removes Object.prototype.__proto__. This legacy property can be exploited when deserialising inguarded external input. The most common exploit would be a denial of service attack causing code to throw in unexpected ways.

Prior to this patch, the following code:

const payload = `{ "__proto__": null }`;
const obj = {};
console.log("Before: " + obj);
Object.assign(obj, JSON.parse(payload));
console.log("After: " + obj);

Would result in the following output from Deno:

$ deno cli/tests/proto_exploit.js
Before: [object Object]
error: Uncaught TypeError: Cannot convert object to primitive value
► /deno/cli/tests/proto_exploit.js:5:23

5 console.log("After: " + obj);
                        ^

    at file:https:///Users/kkelly/github/deno/cli/tests/proto_exploit.js:5:23

With this patch, the output is:

Before: [object Object]
After: [object Object]

TypeScript already claims that Object.prototype.__proto__ doesn't exist, so there is nothing to correct there.

An alternative approach was to "throw" on attempting to access __proto__, effectively though that would be the same situation, in that someone attempting to exploit unguarded serialised input to "attack" __proto__ would be successful. The "best" situation is really to not have __proto__ in the prototype for Objects and exploits would not have any impact on the code.

#4324 also mentions freezing built ins. This has a potentially much bigger consequences and it is debatable about what builtins we would actually want to freeze, we should tackle that as a seperate issue IMO.

[ry]

👍

[bartlomieju]

LGTM