Add more DoS mitigations to React Flight Reply, and harden React Flight

Co-authored-by: Josh Story <josh.c.story@gmail.com>
Co-authored-by: Janka Uryga <lolzatu2@gmail.com>
Co-authored-by: Hendrik Liebau <mail@hendrik-liebau.de>

Author: 4 people

packages/react-client/src/ReactFlightClient.js

@@ -98,6 +98,8 @@ import getComponentNameFromType from 'shared/getComponentNameFromType';
 
 import {getOwnerStackByComponentInfoInDev} from 'shared/ReactComponentInfoStack';
 
+import hasOwnProperty from 'shared/hasOwnProperty';
+
 import {injectInternals} from './ReactFlightClientDevToolsHook';
 
 import {OMITTED_PROP_ERROR} from 'shared/ReactFlightPropertyAccess';
@@ -163,6 +165,8 @@ const INITIALIZED = 'fulfilled';
 const ERRORED = 'rejected';
 const HALTED = 'halted'; // DEV-only. Means it never resolves even if connection closes.
 
+const __PROTO__ = '__proto__';
+
 type PendingChunk<T> = {
   status: 'pending',
   value: null | Array<InitializationReference | (T => mixed)>,
@@ -1496,7 +1500,16 @@ function fulfillReference(
           }
         }
       }
-      value = value[path[i]];
+      const name = path[i];
+      if (
+        typeof value === 'object' &&
+        value !== null &&
+        hasOwnProperty.call(value, name)
+      ) {
+        value = value[name];
+      } else {
+        throw new Error('Invalid reference.');
+      }
     }
 
     while (
@@ -1532,7 +1545,9 @@ function fulfillReference(
     }
 
     const mappedValue = map(response, value, parentObject, key);
-    parentObject[key] = mappedValue;
+    if (key !== __PROTO__) {
+      parentObject[key] = mappedValue;
+    }
 
     // If this is the root object for a model reference, where `handler.value`
     // is a stale `null`, the resolved value can be used directly.
@@ -1799,7 +1814,9 @@ function loadServerReference<A: Iterable<any>, T>(
       response._encodeFormAction,
     );
 
-    parentObject[key] = resolvedValue;
+    if (key !== __PROTO__) {
+      parentObject[key] = resolvedValue;
+    }
 
     // If this is the root object for a model reference, where `handler.value`
     // is a stale `null`, the resolved value can be used directly.
@@ -2177,29 +2194,31 @@ function defineLazyGetter<T>(
 ): any {
   // We don't immediately initialize it even if it's resolved.
   // Instead, we wait for the getter to get accessed.
-  Object.defineProperty(parentObject, key, {
-    get: function () {
-      if (chunk.status === RESOLVED_MODEL) {
-        // If it was now resolved, then we initialize it. This may then discover
-        // a new set of lazy references that are then asked for eagerly in case
-        // we get that deep.
-        initializeModelChunk(chunk);
-      }
-      switch (chunk.status) {
-        case INITIALIZED: {
-          return chunk.value;
+  if (key !== __PROTO__) {
+    Object.defineProperty(parentObject, key, {
+      get: function () {
+        if (chunk.status === RESOLVED_MODEL) {
+          // If it was now resolved, then we initialize it. This may then discover
+          // a new set of lazy references that are then asked for eagerly in case
+          // we get that deep.
+          initializeModelChunk(chunk);
         }
-        case ERRORED:
-          throw chunk.reason;
-      }
-      // Otherwise, we didn't have enough time to load the object before it was
-      // accessed or the connection closed. So we just log that it was omitted.
-      // TODO: We should ideally throw here to indicate a difference.
-      return OMITTED_PROP_ERROR;
-    },
-    enumerable: true,
-    configurable: false,
-  });
+        switch (chunk.status) {
+          case INITIALIZED: {
+            return chunk.value;
+          }
+          case ERRORED:
+            throw chunk.reason;
+        }
+        // Otherwise, we didn't have enough time to load the object before it was
+        // accessed or the connection closed. So we just log that it was omitted.
+        // TODO: We should ideally throw here to indicate a difference.
+        return OMITTED_PROP_ERROR;
+      },
+      enumerable: true,
+      configurable: false,
+    });
+  }
   return null;
 }
 
@@ -2510,14 +2529,16 @@ function parseModelString(
           // In DEV mode we encode omitted objects in logs as a getter that throws
           // so that when you try to access it on the client, you know why that
           // happened.
-          Object.defineProperty(parentObject, key, {
-            get: function () {
-              // TODO: We should ideally throw here to indicate a difference.
-              return OMITTED_PROP_ERROR;
-            },
-            enumerable: true,
-            configurable: false,
-          });
+          if (key !== __PROTO__) {
+            Object.defineProperty(parentObject, key, {
+              get: function () {
+                // TODO: We should ideally throw here to indicate a difference.
+                return OMITTED_PROP_ERROR;
+              },
+              enumerable: true,
+              configurable: false,
+            });
+          }
           return null;
         }
         // Fallthrough
@@ -5143,6 +5164,9 @@ function parseModel<T>(response: Response, json: UninitializedModel): T {
 function createFromJSONCallback(response: Response) {
   // $FlowFixMe[missing-this-annot]
   return function (key: string, value: JSONValue) {
+    if (key === __PROTO__) {
+      return undefined;
+    }
     if (typeof value === 'string') {
       // We can't use .bind here because we need the "this" value.
       return parseModelString(response, this, key, value);

packages/react-client/src/ReactFlightReplyClient.js

@@ -95,6 +95,8 @@ export type ReactServerValue =
 
 type ReactServerObject = {+[key: string]: ReactServerValue};
 
+const __PROTO__ = '__proto__';
+
 function serializeByValueID(id: number): string {
   return '$' + id.toString(16);
 }
@@ -361,6 +363,15 @@ export function processReply(
   ): ReactJSONValue {
     const parent = this;
 
+    if (__DEV__) {
+      if (key === __PROTO__) {
+        console.error(
+          'Expected not to serialize an object with own property `__proto__`. When parsed this property will be omitted.%s',
+          describeObjectForErrorMessage(parent, key),
+        );
+      }
+    }
+
     // Make sure that `parent[key]` wasn't JSONified before `value` was passed to us
     if (__DEV__) {
       // $FlowFixMe[incompatible-use]
@@ -780,6 +791,10 @@ export function processReply(
     if (typeof value === 'function') {
       const referenceClosure = knownServerReferences.get(value);
       if (referenceClosure !== undefined) {
+        const existingReference = writtenObjects.get(value);
+        if (existingReference !== undefined) {
+          return existingReference;
+        }
         const {id, bound} = referenceClosure;
         const referenceClosureJSON = JSON.stringify({id, bound}, resolveToJSON);
         if (formData === null) {
@@ -789,7 +804,10 @@ export function processReply(
         // The reference to this function came from the same client so we can pass it back.
         const refId = nextPartId++;
         formData.set(formFieldPrefix + refId, referenceClosureJSON);
-        return serializeServerReferenceID(refId);
+        const serverReferenceId = serializeServerReferenceID(refId);
+        // Store the server reference ID for deduplication.
+        writtenObjects.set(value, serverReferenceId);
+        return serverReferenceId;
       }
       if (temporaryReferences !== undefined && key.indexOf(':') === -1) {
         // TODO: If the property name contains a colon, we don't dedupe. Escape instead.

packages/react-server-dom-esm/src/server/ReactFlightDOMServerNode.js

@@ -332,12 +332,17 @@ function prerenderToNodeStream(
 function decodeReplyFromBusboy<T>(
   busboyStream: Busboy,
   moduleBasePath: ServerManifest,
-  options?: {temporaryReferences?: TemporaryReferenceSet},
+  options?: {
+    temporaryReferences?: TemporaryReferenceSet,
+    arraySizeLimit?: number,
+  },
 ): Thenable<T> {
   const response = createResponse(
     moduleBasePath,
     '',
     options ? options.temporaryReferences : undefined,
+    undefined,
+    options ? options.arraySizeLimit : undefined,
   );
   let pendingFiles = 0;
   const queuedFields: Array<string> = [];
@@ -403,7 +408,10 @@ function decodeReplyFromBusboy<T>(
 function decodeReply<T>(
   body: string | FormData,
   moduleBasePath: ServerManifest,
-  options?: {temporaryReferences?: TemporaryReferenceSet},
+  options?: {
+    temporaryReferences?: TemporaryReferenceSet,
+    arraySizeLimit?: number,
+  },
 ): Thenable<T> {
   if (typeof body === 'string') {
     const form = new FormData();
@@ -415,6 +423,7 @@ function decodeReply<T>(
     '',
     options ? options.temporaryReferences : undefined,
     body,
+    options ? options.arraySizeLimit : undefined,
   );
   const root = getRoot<T>(response);
   close(response);

packages/react-server-dom-parcel/src/server/ReactFlightDOMServerBrowser.js

@@ -248,7 +248,10 @@ export function registerServerActions(manifest: ServerManifest) {
 
 export function decodeReply<T>(
   body: string | FormData,
-  options?: {temporaryReferences?: TemporaryReferenceSet},
+  options?: {
+    temporaryReferences?: TemporaryReferenceSet,
+    arraySizeLimit?: number,
+  },
 ): Thenable<T> {
   if (typeof body === 'string') {
     const form = new FormData();
@@ -260,6 +263,7 @@ export function decodeReply<T>(
     '',
     options ? options.temporaryReferences : undefined,
     body,
+    options ? options.arraySizeLimit : undefined,
   );
   const root = getRoot<T>(response);
   close(response);

packages/react-server-dom-parcel/src/server/ReactFlightDOMServerEdge.js

@@ -253,7 +253,10 @@ export function registerServerActions(manifest: ServerManifest) {
 
 export function decodeReply<T>(
   body: string | FormData,
-  options?: {temporaryReferences?: TemporaryReferenceSet},
+  options?: {
+    temporaryReferences?: TemporaryReferenceSet,
+    arraySizeLimit?: number,
+  },
 ): Thenable<T> {
   if (typeof body === 'string') {
     const form = new FormData();
@@ -265,6 +268,7 @@ export function decodeReply<T>(
     '',
     options ? options.temporaryReferences : undefined,
     body,
+    options ? options.arraySizeLimit : undefined,
   );
   const root = getRoot<T>(response);
   close(response);

packages/react-server-dom-parcel/src/server/ReactFlightDOMServerNode.js

@@ -562,12 +562,17 @@ export function registerServerActions(manifest: ServerManifest) {
 
 export function decodeReplyFromBusboy<T>(
   busboyStream: Busboy,
-  options?: {temporaryReferences?: TemporaryReferenceSet},
+  options?: {
+    temporaryReferences?: TemporaryReferenceSet,
+    arraySizeLimit?: number,
+  },
 ): Thenable<T> {
   const response = createResponse(
     serverManifest,
     '',
     options ? options.temporaryReferences : undefined,
+    undefined,
+    options ? options.arraySizeLimit : undefined,
   );
   let pendingFiles = 0;
   const queuedFields: Array<string> = [];
@@ -632,7 +637,10 @@ export function decodeReplyFromBusboy<T>(
 
 export function decodeReply<T>(
   body: string | FormData,
-  options?: {temporaryReferences?: TemporaryReferenceSet},
+  options?: {
+    temporaryReferences?: TemporaryReferenceSet,
+    arraySizeLimit?: number,
+  },
 ): Thenable<T> {
   if (typeof body === 'string') {
     const form = new FormData();
@@ -644,6 +652,7 @@ export function decodeReply<T>(
     '',
     options ? options.temporaryReferences : undefined,
     body,
+    options ? options.arraySizeLimit : undefined,
   );
   const root = getRoot<T>(response);
   close(response);
@@ -652,7 +661,10 @@ export function decodeReply<T>(
 
 export function decodeReplyFromAsyncIterable<T>(
   iterable: AsyncIterable<[string, string | File]>,
-  options?: {temporaryReferences?: TemporaryReferenceSet},
+  options?: {
+    temporaryReferences?: TemporaryReferenceSet,
+    arraySizeLimit?: number,
+  },
 ): Thenable<T> {
   const iterator: AsyncIterator<[string, string | File]> =
     iterable[ASYNC_ITERATOR]();
@@ -661,6 +673,8 @@ export function decodeReplyFromAsyncIterable<T>(
     serverManifest,
     '',
     options ? options.temporaryReferences : undefined,
+    undefined,
+    options ? options.arraySizeLimit : undefined,
   );
 
   function progress(

packages/react-server-dom-turbopack/src/server/ReactFlightDOMServerBrowser.js

@@ -242,7 +242,10 @@ function prerender(
 function decodeReply<T>(
   body: string | FormData,
   turbopackMap: ServerManifest,
-  options?: {temporaryReferences?: TemporaryReferenceSet},
+  options?: {
+    temporaryReferences?: TemporaryReferenceSet,
+    arraySizeLimit?: number,
+  },
 ): Thenable<T> {
   if (typeof body === 'string') {
     const form = new FormData();
@@ -254,6 +257,7 @@ function decodeReply<T>(
     '',
     options ? options.temporaryReferences : undefined,
     body,
+    options ? options.arraySizeLimit : undefined,
   );
   const root = getRoot<T>(response);
   close(response);

packages/react-server-dom-turbopack/src/server/ReactFlightDOMServerEdge.js

@@ -247,7 +247,10 @@ function prerender(
 function decodeReply<T>(
   body: string | FormData,
   turbopackMap: ServerManifest,
-  options?: {temporaryReferences?: TemporaryReferenceSet},
+  options?: {
+    temporaryReferences?: TemporaryReferenceSet,
+    arraySizeLimit?: number,
+  },
 ): Thenable<T> {
   if (typeof body === 'string') {
     const form = new FormData();
@@ -259,6 +262,7 @@ function decodeReply<T>(
     '',
     options ? options.temporaryReferences : undefined,
     body,
+    options ? options.arraySizeLimit : undefined,
   );
   const root = getRoot<T>(response);
   close(response);
@@ -268,7 +272,10 @@ function decodeReply<T>(
 function decodeReplyFromAsyncIterable<T>(
   iterable: AsyncIterable<[string, string | File]>,
   turbopackMap: ServerManifest,
-  options?: {temporaryReferences?: TemporaryReferenceSet},
+  options?: {
+    temporaryReferences?: TemporaryReferenceSet,
+    arraySizeLimit?: number,
+  },
 ): Thenable<T> {
   const iterator: AsyncIterator<[string, string | File]> =
     iterable[ASYNC_ITERATOR]();
@@ -277,6 +284,8 @@ function decodeReplyFromAsyncIterable<T>(
     turbopackMap,
     '',
     options ? options.temporaryReferences : undefined,
+    undefined,
+    options ? options.arraySizeLimit : undefined,
   );
 
   function progress(