search

Automattic / cli-table

Pretty unicode tables for the CLI with Node.JS
MIT License
2.28k stars 141 forks source link

Security Fix for Prototype Pollution - huntr.dev #142

Closed huntr-helper closed 3 years ago

huntr-helper commented 3 years ago

@ready-research (https://huntr.dev/users/ready-research) has fixed a potential Prototype Pollution vulnerability in your repository πŸ”¨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...

Q | A Version Affected | * Bug Fix | YES Original Pull Request | https://github.com/418sec/cli-table/pull/1

If you are happy with this disclosure, we would love to get a CVE assigned to the vulnerability. Feel free to credit @ready-research, the discloser found in the bounty URL (below) and @huntr-helper.

User Comments:

πŸ“Š Metadata *

cli-table is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE.

Bounty URL: https://www.huntr.dev/bounties/1-npm-cli-table

βš™οΈ Description *

Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain.

πŸ’» Technical Description *

Fixed by avoiding setting magical attributes.

πŸ› Proof of Concept (PoC) *

  1. Create the following PoC file:
// poc.js
var cliTable = require("cli-table")
const payload = JSON.parse('{"__proto__":{"polluted":"Yes! Its Polluted"}}');
var obj = {}
console.log("Before : " + {}.polluted);
cliTable(payload);
console.log("After : " + {}.polluted);
  1. Execute the following commands in terminal:
npm i cli-table # Install affected module
node poc.js #  Run the PoC
  1. Check the Output: 
    Before : undefined
After : Yes! Its Polluted

πŸ”₯ Proof of Fix (PoF) *

After fix execution will block prototype pollution and polluted will be [undefined.]

πŸ‘ User Acceptance Testing (UAT)

After fix functionality is unaffected.

πŸ”— Relates to...

https://github.com/418sec/huntr/pull/1976

JamieSlome commented 3 years ago

@ready-research @chrean - this addresses https://github.com/Automattic/cli-table/issues/141 - thanks! 🍰

JamieSlome commented 3 years ago

@chrean - thanks for the merge! 🍰

If you are interested, you can pop our badge in your README.md. It tells security researchers to disclose future vulnerabilities to us, and handle them on your behalf. Plus, the researchers get a bounty for securing your repo:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)

huntr

chrean commented 3 years ago

Badge added :)