search

jonschlinkert / kind-of

Get the native JavaScript type of a value, fast. Used by superstruct, micromatch and many others!
https://github.com/jonschlnkert
MIT License
347 stars 38 forks source link

type checking #30

Closed xiaofen9 closed 4 years ago

xiaofen9 commented 4 years ago

We found that a maliciously crafted user-input object can type checking result of kind-of module. The vulnerability is from the following code: kind-of leverages the built-in constructor of unsafe user-input to detect type information. However, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

https://github.com/jonschlinkert/kind-of/blob/4da96c0047906d22a4d6964a668d3abaca122e50/index.js#L68-L70

Reproduce Script

var kindOf = require('kind-of');

var user_input = {
  user: 'barney',
  age: 36,
  active: true,
  "constructor":{"name":"Symbol"}
};
console.log(kindOf(user_input));

This issue can be fixed by adding one simply check to the ctorName() function: check typeof val.constructor === function. This check can patch the vulnerability because attackers can't use json to send function instances to the victim server.

elordahl commented 4 years ago

@xiaofen9 would you care to submit this fix as a PR, for @jonschlinkert to review? 😎

jonschlinkert commented 4 years ago

A PR would be great.

Could you provide a more detailed description of specifically how and when this could become an actual exploit?

jonschlinkert commented 4 years ago

I've locked the issue to prevent useless and distracting "me too" comments.

@xiaofen9 if you want to create a PR, that would be great.

It would help if you could add a description of when and how this can be used "maliciously". We can't think of one scenario where that could ever happen... but that doesn't mean it can't, so we'd love to be enlightened so that we know better in the future.

doowb commented 4 years ago

Closed by #31