Skip to content
This repository was archived by the owner on Dec 19, 2023. It is now read-only.

Security fix for Prototype Pollution#1

Open
arjunshibu wants to merge 1 commit into
418sec:mainfrom
arjunshibu:main
Open

Security fix for Prototype Pollution#1
arjunshibu wants to merge 1 commit into
418sec:mainfrom
arjunshibu:main

Conversation

@arjunshibu
Copy link
Copy Markdown

@arjunshibu arjunshibu commented Jan 6, 2021

📊 Metadata *

@szydlovski/deep-object is vulnerable to Prototype Pollution.

Bounty URL: https://www.huntr.dev/bounties/1-npm-%40szydlovski%2Fdeep-object

⚙️ Description *

Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects.
JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain.

💻 Technical Description *

Fix implemented by not allowing to modify object prototype.

🐛 Proof of Concept (PoC) *

  1. Create the following PoC file:
// poc.js
var deepObject = require("@szydlovski/deep-object")
var obj = {}
console.log("Before : " + {}.polluted);
deepObject.setProperty(obj, '__proto__.polluted', 'Yes! Its Polluted');
console.log("After : " + {}.polluted);
  1. Execute the following commands in terminal:
npm i @szydlovski/deep-object # Install affected module
node poc.js #  Run the PoC
  1. Check the Output:
Before : undefined
After : Yes! Its Polluted

🔥 Proof of Fix (PoF) *

deep-object-fix

+1 User Acceptance Testing (UAT)

  • I've executed unit tests.
  • After fix the functionality is unaffected.

@JamieSlome
Copy link
Copy Markdown

JamieSlome commented Jan 25, 2021

👋 Hello, @szydlovski - @arjunshibu has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above.

Ultimately, you get to decide if the fix is 👍 or 👎. If you are happy with the fix, please write a new comment (@huntr-helper - LGTM) and we will open a PR to your repository with the fix. All remaining PRs for this vulnerability will be automatically closed.

If you have any questions or need support, come and join us on our community Discord!

@szydlovski & @arjunshibu - thank you for your efforts in securing the world’s open source code! 🎉

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@bbeale bbeale Awaiting requested review from bbeale

@Mik317 Mik317 Awaiting requested review from Mik317

@mufeedvh mufeedvh Awaiting requested review from mufeedvh

@mzfr mzfr Awaiting requested review from mzfr

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arjunshibu @JamieSlome