Skip to content

🔒 fix: prevent application crash on Symbol property access in proxy#19

Merged
johnstrand merged 1 commit into
masterfrom
security-fix/symbol-proxy-crash-17171355926253609186
Jul 8, 2026
Merged

🔒 fix: prevent application crash on Symbol property access in proxy#19
johnstrand merged 1 commit into
masterfrom
security-fix/symbol-proxy-crash-17171355926253609186

Conversation

@johnstrand

Copy link
Copy Markdown
Owner

🎯 What: This PR fixes a vulnerability where accessing a Symbol on the useSquawk or usePending proxies would lead to an application crash.
⚠️ Risk: If any code (React internals, external dev tools, or third-party packages) accesses a Symbol on the proxy, the application would crash due to improperly tracking the Symbol in the proxy get trap and then failing to process it during context subscriber lookups.
🛡️ Solution: Added a typeof prop === "string" check in the Proxy get handlers for both useSquawk and usePending to ensure only intended string properties are tracked as contexts. Also added tests to ensure regressions don't occur.


PR created automatically by Jules for task 17171355926253609186 started by @johnstrand

The `useSquawk` and `usePending` proxy traps were adding properties to their context tracking unconditionally. When internal operations (like React DevTools or frameworks) check for Symbols (e.g., `Symbol.iterator`, `Symbol.toStringTag`), this resulted in adding a Symbol to a context tracking Set, which would later cause a type error and application crash when attempting to retrieve subscribers for that Symbol.
This change safely ignores property accesses that are not strings.

Co-authored-by: johnstrand <11484777+johnstrand@users.noreply.github.com>
@google-labs-jules

Copy link
Copy Markdown
Contributor

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@johnstrand johnstrand merged commit f3c16fd into master Jul 8, 2026
@johnstrand johnstrand deleted the security-fix/symbol-proxy-crash-17171355926253609186 branch July 8, 2026 11:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant