hapijs / hoek

Node utilities shared among the extended hapi universe
Other
480 stars 171 forks source link

Node Security Project marking Hoek with CVSS 4 #232

Closed blacksun1 closed 6 years ago

blacksun1 commented 6 years ago

Hi,

Our build pipeline picked up the the Node Security Project issue of "Prototype pollution attack" (https://nodesecurity.io/advisories/566) this morning. We have temporarily put in place an exception like the following

.nsprc

{
  "exceptions": [
    "https://nodesecurity.io/advisories/566"
  ]
}

But it would be good if this could be looked at by someone who knows what they are doing.

Here is a copy of the issue:

Overview

The merge function, and the applyToDefaults and applyToDefaultsWithShallow functions which leverage merge behind the scenes, are vulnerable to a prototype pollution attack when provided an unvalidated payload created from a JSON string containing the proto property.

This can be demonstrated like so:

var Hoek = require('hoek');
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';

var a = {};
console.log("Before : " + a.oops);
Hoek.merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);

This type of attack can be used to overwrite existing properties causing a potential denial of service.

Thanks in advance,

blacksun1 commented 6 years ago

Sorry, after looking at the Hoek code I see that this was already fixed. Sorry for wasting your time.

lock[bot] commented 4 years ago

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.