Closed spratt closed 2 years ago
A vulnerability detection tool I use is flagging the merge function, and particularly this line: https://github.com/lukeed/dset/blob/master/src/merge.js#L9
The tool says that the function is vulnerable to prototype pollution as per this paper: https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf
Reading through the code and the paper, it seems like there is a check to mitigate prototype pollution in the dset function that uses merge, but not in merge itself. Would the merge function benefit from such a check? Or would that break something?
Thanks, Simon
I created a PR for this: https://github.com/lukeed/dset/pull/34
Closed by #34 and #38
A vulnerability detection tool I use is flagging the merge function, and particularly this line: https://github.com/lukeed/dset/blob/master/src/merge.js#L9
The tool says that the function is vulnerable to prototype pollution as per this paper: https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf
Reading through the code and the paper, it seems like there is a check to mitigate prototype pollution in the dset function that uses merge, but not in merge itself. Would the merge function benefit from such a check? Or would that break something?
Thanks, Simon