test_runner: protect internals against prototype tampering

Author: aduh95

lib/internal/test_runner/test.js

@@ -222,7 +222,7 @@ class Test extends AsyncResource {
       }
     }
 
-    const test = new Factory({ fn, name, parent, ...options, ...overrides });
+    const test = new Factory({ __proto__: null, fn, name, parent, ...options, ...overrides });
 
     if (parent.waitingOn === 0) {
       parent.waitingOn = test.testNumber;

test/fixtures/test-runner/protoMutation.js

@@ -0,0 +1,3 @@
+'use strict';
+
+Object.prototype.skip = true;

test/parallel/test-runner-cli.js

@@ -34,6 +34,22 @@ const testFixtures = fixtures.path('test-runner');
   assert.match(stdout, /ok 4 - .+random\.cjs/);
 }
 
+{
+  // Same but with a prototype mutation in require scripts.
+  const args = ['--require', join(testFixtures, 'protoMutation.js'), '--test', testFixtures];
+  const child = spawnSync(process.execPath, args);
+
+  const stdout = child.stdout.toString();
+  assert.match(stdout, /ok 1 - .+index\.test\.js/);
+  assert.match(stdout, /not ok 2 - .+random\.test\.mjs/);
+  assert.match(stdout, /not ok 1 - this should fail/);
+  assert.match(stdout, /ok 3 - .+subdir.+subdir_test\.js/);
+  assert.match(stdout, /ok 4 - .+random\.cjs/);
+  assert.strictEqual(child.status, 1);
+  assert.strictEqual(child.signal, null);
+  assert.strictEqual(child.stderr.toString(), '');
+}
+
 {
   // User specified files that don't match the pattern are still run.
   const args = ['--test', testFixtures, join(testFixtures, 'index.js')];