[Bug]: Prototype Pollution Vulnerability Affecting chartist module, versions >=1.0.0 <=1.3.0

tariqhawis commented 7 months ago

Would you like to work on a fix?

[ ] Check this if you would like to implement a PR, we are more than happy to help you go through the process.

Current and expected behavior

Overview

A Prototype Pollution vulnerability Affecting chartist , versions >=1.0.0 <=1.3.0, due to missing check if the argument resolves to the object prototype. This allow the attacker to inject malicious object property using the built-in Object property __proto__ which recursively assigned to all the objects in the program.

Reproduction

sent directly to the maintainer's email

Chartist version

1.3.0

Possible solution

Freeze the root prototype using Object.freeze

Require schema validation of JSON input.

Avoid using unsafe recursive merge functions.

Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

As a best practice use Map instead of Object

andersk commented 1 month ago

Fix:

1433

fmooreNS commented 1 month ago

Is there any chance the PR will be accepted soon? And would a new release be forthcoming afterwards?

chartist-js / chartist