Skip to content
This repository was archived by the owner on Dec 19, 2023. It is now read-only.

Security Fix for Prototype Pollution #1

Open
ready-research wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Security Fix for Prototype Pollution #1

ready-research wants to merge 1 commit into from

Conversation

@ready-research
Copy link

@ready-research ready-research commented Apr 20, 2021

📊 Metadata *

set-deep-prop is vulnerable to Prototype Pollution.
This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE.

Bounty URL: https://www.huntr.dev/bounties/1-npm-set-deep-prop/

⚙️ Description *

Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects.
JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype.
An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.
Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain.

💻 Technical Description *

Fixed by avoiding setting magical attributes.

🐛 Proof of Concept (PoC) *

  1. Create the following PoC file:
// poc.js
const setDeepProp = require('set-deep-prop');
var obj = {};
console.log("Before : " + {}.polluted);
setDeepProp(obj, ["__proto__","polluted"], "Yes! Its Polluted");
console.log("After : " + {}.polluted);
  1. Execute the following commands in terminal:
npm i set-deep-prop # Install affected module
node poc.js #  Run the PoC
  1. Check the Output:
Before : undefined
After : Yes! Its Polluted

🔥 Proof of Fix (PoF) *

After fix execution will block prototype pollution and polluted will be [undefined.]

👍 User Acceptance Testing (UAT)

After fix functionality is unaffected.

@huntr-helper
Copy link

huntr-helper commented Apr 20, 2021

👋 Hello, @mmckelvy. @ready-research has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above. If you want this fix in your repository, a PR will automatically open once you comment:

@huntr-helper - LGTM

☎️ Need further support?

Come and join us on our community Discord!

@mmckelvy - want more fixes like this?

Copy this snippet into your README.md for more vulnerability fixes in the future:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)

huntr

@ready-research ready-research mentioned this pull request Apr 20, 2021
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ready-research @huntr-helper