This PR fixes the basic attack for CVE-2022-22912. Issue #114.
This PR introduce a new invariant where <key> tags can't have the __proto__ value avoiding prototype pollution attacks. While testing I noticed both __proto__ string and variations with backslash such as _\_proto_\_ can trigger the vulnerability but both attacks are stopped by this fix.
I went through the codebase and the only vector of attack I found for this vulnerability was through the dict and key but would appreciate the maintainers advice in case I have missed something.
This PR fixes the basic attack for CVE-2022-22912. Issue #114.
This PR introduce a new invariant where
<key>
tags can't have the__proto__
value avoiding prototype pollution attacks. While testing I noticed both__proto__
string and variations with backslash such as_\_proto_\_
can trigger the vulnerability but both attacks are stopped by this fix.I went through the codebase and the only vector of attack I found for this vulnerability was through the
dict
andkey
but would appreciate the maintainers advice in case I have missed something.