fix(websocket): prevent prototype pollution in WebSocket options

cirospaciari · cirospaciari · commit c28218a1d7d8 · 2026-01-07T14:17:16.000-08:00
Replace getIfPropertyExists() with own-property-only access in
JSWebSocket.cpp to prevent prototype pollution attacks.

Previously, setting Object.prototype.rejectUnauthorized = false would
disable TLS verification for all WebSocket connections. Now, only
properties directly on the options object are read.

- Add getOwnPropertyIfExists() helper to ObjectBindings.h/cpp
- Replace all 19 getIfPropertyExists() calls in JSWebSocket.cpp
- Uses methodTable()-&gt;getOwnPropertySlot() for strictest security
diff --git a/src/bun.js/bindings/ObjectBindings.cpp b/src/bun.js/bindings/ObjectBindings.cpp
@@ -92,4 +92,19 @@ JSC::JSValue getIfPropertyExistsPrototypePollutionMitigation(JSC::VM& vm, JSC::J
     return value;
 }
 
+JSC::JSValue getOwnPropertyIfExists(JSC::JSGlobalObject* globalObject, JSC::JSObject* object, const JSC::PropertyName& name)
+{
+    auto& vm = JSC::getVM(globalObject);
+    auto scope = DECLARE_THROW_SCOPE(vm);
+    PropertySlot slot(object, PropertySlot::InternalMethodType::GetOwnProperty, nullptr);
+    if (!object->methodTable()->getOwnPropertySlot(object, globalObject, name, slot)) {
+        RETURN_IF_EXCEPTION(scope, {});
+        return JSC::jsUndefined();
+    }
+    RETURN_IF_EXCEPTION(scope, {});
+    JSValue value = slot.getValue(globalObject, name);
+    RETURN_IF_EXCEPTION(scope, {});
+    return value;
+}
+
 }
diff --git a/src/bun.js/bindings/ObjectBindings.h b/src/bun.js/bindings/ObjectBindings.h
@@ -24,4 +24,11 @@ ALWAYS_INLINE JSC::JSValue getIfPropertyExistsPrototypePollutionMitigation(JSC::
     return getIfPropertyExistsPrototypePollutionMitigation(JSC::getVM(globalObject), globalObject, object, name);
 }
 
+/**
+ * Gets an own property only (no prototype chain lookup).
+ * Returns jsUndefined() if property doesn't exist as own property.
+ * This is the strictest form of property access - use for security-critical options.
+ */
+JSC::JSValue getOwnPropertyIfExists(JSC::JSGlobalObject* globalObject, JSC::JSObject* object, const JSC::PropertyName& name);
+
 }
diff --git a/src/bun.js/bindings/webcore/JSWebSocket.cpp b/src/bun.js/bindings/webcore/JSWebSocket.cpp
@@ -65,6 +65,7 @@
 #include "FetchHeaders.h"
 #include "JSFetchHeaders.h"
 #include "headers.h"
+#include "ObjectBindings.h"
 
 namespace WebCore {
 using namespace JSC;
@@ -221,7 +222,7 @@ static inline JSC::EncodedJSValue constructJSWebSocket3(JSGlobalObject* lexicalG
 
     if (JSC::JSObject* options = optionsObjectValue.getObject()) {
         const auto& builtinnames = WebCore::builtinNames(vm);
-        auto headersValue = options->getIfPropertyExists(globalObject, builtinnames.headersPublicName());
+        auto headersValue = Bun::getOwnPropertyIfExists(globalObject, options, builtinnames.headersPublicName());
         RETURN_IF_EXCEPTION(throwScope, {});
         if (headersValue) {
             if (!headersValue.isUndefinedOrNull()) {
@@ -230,15 +231,15 @@ static inline JSC::EncodedJSValue constructJSWebSocket3(JSGlobalObject* lexicalG
             }
         }
 
-        auto protocolsValue = options->getIfPropertyExists(globalObject, PropertyName(Identifier::fromString(vm, "protocols"_s)));
+        auto protocolsValue = Bun::getOwnPropertyIfExists(globalObject, options, PropertyName(Identifier::fromString(vm, "protocols"_s)));
         RETURN_IF_EXCEPTION(throwScope, {});
         if (protocolsValue) {
             if (!protocolsValue.isUndefinedOrNull()) {
                 protocols = convert<IDLSequence<IDLDOMString>>(*lexicalGlobalObject, protocolsValue);
                 RETURN_IF_EXCEPTION(throwScope, {});
             }
         } else {
-            auto protocolValue = options->getIfPropertyExists(globalObject, PropertyName(Identifier::fromString(vm, "protocol"_s)));
+            auto protocolValue = Bun::getOwnPropertyIfExists(globalObject, options, PropertyName(Identifier::fromString(vm, "protocol"_s)));
             RETURN_IF_EXCEPTION(throwScope, {});
             if (protocolValue) {
                 if (!protocolValue.isUndefinedOrNull()) {
@@ -249,12 +250,12 @@ static inline JSC::EncodedJSValue constructJSWebSocket3(JSGlobalObject* lexicalG
         }
 
         // Parse TLS options using Zig's SSLConfig.fromJS for full TLS option support
-        JSValue tlsOptionsValue = options->getIfPropertyExists(globalObject, PropertyName(Identifier::fromString(vm, "tls"_s)));
+        JSValue tlsOptionsValue = Bun::getOwnPropertyIfExists(globalObject, options, PropertyName(Identifier::fromString(vm, "tls"_s)));
         RETURN_IF_EXCEPTION(throwScope, {});
         if (tlsOptionsValue && !tlsOptionsValue.isUndefinedOrNull() && tlsOptionsValue.isObject()) {
             // Also extract rejectUnauthorized for backwards compatibility
             if (JSC::JSObject* tlsOptions = tlsOptionsValue.getObject()) {
-                auto rejectUnauthorizedValue = tlsOptions->getIfPropertyExists(globalObject, PropertyName(Identifier::fromString(vm, "rejectUnauthorized"_s)));
+                auto rejectUnauthorizedValue = Bun::getOwnPropertyIfExists(globalObject, tlsOptions, PropertyName(Identifier::fromString(vm, "rejectUnauthorized"_s)));
                 RETURN_IF_EXCEPTION(throwScope, {});
                 if (rejectUnauthorizedValue && !rejectUnauthorizedValue.isUndefinedOrNull() && rejectUnauthorizedValue.isBoolean()) {
                     rejectUnauthorized = rejectUnauthorizedValue.asBoolean() ? 1 : 0;
@@ -267,7 +268,7 @@ static inline JSC::EncodedJSValue constructJSWebSocket3(JSGlobalObject* lexicalG
         }
 
         // Parse proxy option - can be string or { url, headers }
-        auto proxyValue = options->getIfPropertyExists(globalObject, PropertyName(Identifier::fromString(vm, "proxy"_s)));
+        auto proxyValue = Bun::getOwnPropertyIfExists(globalObject, options, PropertyName(Identifier::fromString(vm, "proxy"_s)));
         RETURN_IF_EXCEPTION(throwScope, {});
         if (proxyValue) {
             if (!proxyValue.isUndefinedOrNull()) {
@@ -278,14 +279,14 @@ static inline JSC::EncodedJSValue constructJSWebSocket3(JSGlobalObject* lexicalG
                 } else if (proxyValue.isObject()) {
                     // proxy: { url: "http://proxy:8080", headers: {...} }
                     if (JSC::JSObject* proxyOptions = proxyValue.getObject()) {
-                        auto proxyUrlValue = proxyOptions->getIfPropertyExists(globalObject, PropertyName(Identifier::fromString(vm, "url"_s)));
+                        auto proxyUrlValue = Bun::getOwnPropertyIfExists(globalObject, proxyOptions, PropertyName(Identifier::fromString(vm, "url"_s)));
                         RETURN_IF_EXCEPTION(throwScope, {});
                         if (proxyUrlValue && !proxyUrlValue.isUndefinedOrNull()) {
                             proxyUrl = convert<IDLUSVString>(*lexicalGlobalObject, proxyUrlValue);
                             RETURN_IF_EXCEPTION(throwScope, {});
                         }
 
-                        auto proxyHeadersValue = proxyOptions->getIfPropertyExists(globalObject, builtinnames.headersPublicName());
+                        auto proxyHeadersValue = Bun::getOwnPropertyIfExists(globalObject, proxyOptions, builtinnames.headersPublicName());
                         RETURN_IF_EXCEPTION(throwScope, {});
                         if (proxyHeadersValue && !proxyHeadersValue.isUndefinedOrNull()) {
                             // Check if it's already a Headers instance (like fetch does)
@@ -312,20 +313,20 @@ static inline JSC::EncodedJSValue constructJSWebSocket3(JSGlobalObject* lexicalG
         // Parse agent option - extract proxy from agent.proxy if no explicit proxy
         // This supports HttpsProxyAgent and similar agent libraries
         if (proxyUrl.isNull() || proxyUrl.isEmpty()) {
-            auto agentValue = options->getIfPropertyExists(globalObject, PropertyName(Identifier::fromString(vm, "agent"_s)));
+            auto agentValue = Bun::getOwnPropertyIfExists(globalObject, options, PropertyName(Identifier::fromString(vm, "agent"_s)));
             RETURN_IF_EXCEPTION(throwScope, {});
             if (agentValue && !agentValue.isUndefinedOrNull() && agentValue.isObject()) {
                 if (JSC::JSObject* agentObj = agentValue.getObject()) {
                     // Get agent.proxy (can be URL object or string)
-                    auto agentProxyValue = agentObj->getIfPropertyExists(globalObject, PropertyName(Identifier::fromString(vm, "proxy"_s)));
+                    auto agentProxyValue = Bun::getOwnPropertyIfExists(globalObject, agentObj, PropertyName(Identifier::fromString(vm, "proxy"_s)));
                     RETURN_IF_EXCEPTION(throwScope, {});
                     if (agentProxyValue && !agentProxyValue.isUndefinedOrNull()) {
                         if (agentProxyValue.isString()) {
                             proxyUrl = convert<IDLUSVString>(*lexicalGlobalObject, agentProxyValue);
                         } else if (agentProxyValue.isObject()) {
                             // URL object - get .href property
                             if (JSC::JSObject* urlObj = agentProxyValue.getObject()) {
-                                auto hrefValue = urlObj->getIfPropertyExists(globalObject, PropertyName(Identifier::fromString(vm, "href"_s)));
+                                auto hrefValue = Bun::getOwnPropertyIfExists(globalObject, urlObj, PropertyName(Identifier::fromString(vm, "href"_s)));
                                 RETURN_IF_EXCEPTION(throwScope, {});
                                 if (hrefValue && hrefValue.isString()) {
                                     proxyUrl = convert<IDLUSVString>(*lexicalGlobalObject, hrefValue);
@@ -336,7 +337,7 @@ static inline JSC::EncodedJSValue constructJSWebSocket3(JSGlobalObject* lexicalG
                     }
 
                     // Get agent.proxyHeaders
-                    auto proxyHeadersValue = agentObj->getIfPropertyExists(globalObject, PropertyName(Identifier::fromString(vm, "proxyHeaders"_s)));
+                    auto proxyHeadersValue = Bun::getOwnPropertyIfExists(globalObject, agentObj, PropertyName(Identifier::fromString(vm, "proxyHeaders"_s)));
                     RETURN_IF_EXCEPTION(throwScope, {});
                     if (proxyHeadersValue && !proxyHeadersValue.isUndefinedOrNull()) {
                         // If it's a function, call it
@@ -368,16 +369,16 @@ static inline JSC::EncodedJSValue constructJSWebSocket3(JSGlobalObject* lexicalG
                     // We build a filtered object with only supported TLS options (ca, cert, key, passphrase, rejectUnauthorized)
                     // to avoid passing invalid properties like ALPNProtocols to the SSL parser
                     if (rejectUnauthorized == -1 && !sslConfig) {
-                        auto connectOptsValue = agentObj->getIfPropertyExists(globalObject, PropertyName(Identifier::fromString(vm, "connectOpts"_s)));
+                        auto connectOptsValue = Bun::getOwnPropertyIfExists(globalObject, agentObj, PropertyName(Identifier::fromString(vm, "connectOpts"_s)));
                         RETURN_IF_EXCEPTION(throwScope, {});
                         if (!connectOptsValue || connectOptsValue.isUndefinedOrNull()) {
-                            connectOptsValue = agentObj->getIfPropertyExists(globalObject, PropertyName(Identifier::fromString(vm, "options"_s)));
+                            connectOptsValue = Bun::getOwnPropertyIfExists(globalObject, agentObj, PropertyName(Identifier::fromString(vm, "options"_s)));
                             RETURN_IF_EXCEPTION(throwScope, {});
                         }
                         if (connectOptsValue && !connectOptsValue.isUndefinedOrNull() && connectOptsValue.isObject()) {
                             if (JSC::JSObject* connectOptsObj = connectOptsValue.getObject()) {
                                 // Extract rejectUnauthorized
-                                auto rejectValue = connectOptsObj->getIfPropertyExists(globalObject, PropertyName(Identifier::fromString(vm, "rejectUnauthorized"_s)));
+                                auto rejectValue = Bun::getOwnPropertyIfExists(globalObject, connectOptsObj, PropertyName(Identifier::fromString(vm, "rejectUnauthorized"_s)));
                                 RETURN_IF_EXCEPTION(throwScope, {});
                                 if (rejectValue && rejectValue.isBoolean()) {
                                     rejectUnauthorized = rejectValue.asBoolean() ? 1 : 0;
@@ -387,28 +388,28 @@ static inline JSC::EncodedJSValue constructJSWebSocket3(JSGlobalObject* lexicalG
                                 JSC::JSObject* filteredTlsOpts = JSC::constructEmptyObject(globalObject);
                                 bool hasTlsOpts = false;
 
-                                auto caValue = connectOptsObj->getIfPropertyExists(globalObject, PropertyName(Identifier::fromString(vm, "ca"_s)));
+                                auto caValue = Bun::getOwnPropertyIfExists(globalObject, connectOptsObj, PropertyName(Identifier::fromString(vm, "ca"_s)));
                                 RETURN_IF_EXCEPTION(throwScope, {});
                                 if (caValue && !caValue.isUndefinedOrNull()) {
                                     filteredTlsOpts->putDirect(vm, Identifier::fromString(vm, "ca"_s), caValue);
                                     hasTlsOpts = true;
                                 }
 
-                                auto certValue = connectOptsObj->getIfPropertyExists(globalObject, PropertyName(Identifier::fromString(vm, "cert"_s)));
+                                auto certValue = Bun::getOwnPropertyIfExists(globalObject, connectOptsObj, PropertyName(Identifier::fromString(vm, "cert"_s)));
                                 RETURN_IF_EXCEPTION(throwScope, {});
                                 if (certValue && !certValue.isUndefinedOrNull()) {
                                     filteredTlsOpts->putDirect(vm, Identifier::fromString(vm, "cert"_s), certValue);
                                     hasTlsOpts = true;
                                 }
 
-                                auto keyValue = connectOptsObj->getIfPropertyExists(globalObject, PropertyName(Identifier::fromString(vm, "key"_s)));
+                                auto keyValue = Bun::getOwnPropertyIfExists(globalObject, connectOptsObj, PropertyName(Identifier::fromString(vm, "key"_s)));
                                 RETURN_IF_EXCEPTION(throwScope, {});
                                 if (keyValue && !keyValue.isUndefinedOrNull()) {
                                     filteredTlsOpts->putDirect(vm, Identifier::fromString(vm, "key"_s), keyValue);
                                     hasTlsOpts = true;
                                 }
 
-                                auto passphraseValue = connectOptsObj->getIfPropertyExists(globalObject, PropertyName(Identifier::fromString(vm, "passphrase"_s)));
+                                auto passphraseValue = Bun::getOwnPropertyIfExists(globalObject, connectOptsObj, PropertyName(Identifier::fromString(vm, "passphrase"_s)));
                                 RETURN_IF_EXCEPTION(throwScope, {});
                                 if (passphraseValue && !passphraseValue.isUndefinedOrNull()) {
                                     filteredTlsOpts->putDirect(vm, Identifier::fromString(vm, "passphrase"_s), passphraseValue);

Original file line number	Diff line number	Diff line change
`@@ -24,4 +24,11 @@ ALWAYS_INLINE JSC::JSValue getIfPropertyExistsPrototypePollutionMitigation(JSC::`
`24`	`24`	`return getIfPropertyExistsPrototypePollutionMitigation(JSC::getVM(globalObject), globalObject, object, name);`
`25`	`25`	`}`
`26`	`26`
	`27`	`+/**`
	`28`	`+ * Gets an own property only (no prototype chain lookup).`
	`29`	`+ * Returns jsUndefined() if property doesn't exist as own property.`
	`30`	`+ * This is the strictest form of property access - use for security-critical options.`
	`31`	`+ */`
	`32`	`+JSC::JSValue getOwnPropertyIfExists(JSC::JSGlobalObject* globalObject, JSC::JSObject* object, const JSC::PropertyName& name);`
	`33`	`+`
`27`	`34`	`}`