Security Fix for Prototype Pollution - huntr.dev

[huntr-helper]

https://huntr.dev/users/arjunshibu has fixed the Prototype Pollution vulnerability 🔨. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/node-convict/pull/1 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/convict/1/README.md

User Comments:

📊 Metadata *

convict is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE.

Bounty URL: https://www.huntr.dev/bounties/1-npm-convict

⚙️ Description *

Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain.

💻 Technical Description *

Fix implemented by not allowing to modify object prototype.

🐛 Proof of Concept (PoC) *

• Create the following PoC file:

  // poc.js
  var convict = require("convict");
  var obj = {};
  var config = convict(obj);
  console.log("Before : " + {}.polluted);
  config.set("__proto__.polluted","Yes! Its Polluted");
  console.log("After : " + {}.polluted);

• Execute the following commands in another terminal:

  npm i convict # Install affected module
  node poc.js #  Run the PoC

• Check the Output:

  Before : undefined
  After : Yes! Its Polluted

🔥 Proof of Fix (PoF) *

Prototype pollution is fixed as seen below.

👍 User Acceptance Testing (UAT)

• I've executed unit tests.
• After fix the functionality is unaffected.

[colin-ife-snyk]

Hey Any updates on this issue? Estimates on fix and release date?

[colin-ife-snyk]

Not to pester but this issue has been public for almost 2 months now with no apparent activity, and I can't seem to get in touch with any active maintainers by email. Hope this fix can be applied soon, but in any case we are looking to add this to our DB soon unless there's any objection. Thanks

[dannycoates]

Not to pester but this issue has been public for almost 2 months now with no apparent activity, and I can't seem to get in touch with any active maintainers by email.

sorry y'all. this repo has been in limbo and without a primary maintainer. i'm now serving as an interim. i'll be pushing a patch release to npm shortly

[JamieSlome]

@dannycoates - thanks for the merge and support here! 👍

If you are interested in more fixes, you can let security researchers know that they can win bounties protecting this repo by adding this badge into your README.md:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)

[julienw]

hey @dannycoates, should we have a CWE for this vulnerability, so that github / npm warns our users?

[madarche]

This prototype pollution vulnerability has been more completely fixed with 3b86be0 and the publishing of convict@6.2.2 on NPM.

[julienw]

Thanks @madarche ! Is it possible to open a CVE or GHSA for this issue? It would be good so that github and npm warns about it.

[JamieSlome]

We are happy to help assign and publish a CVE for the original report here: https://www.huntr.dev/bounties/1-npm-convict/

@madarche - let me know if you would like us to take care of this 👍

[madarche]

@julienw @JamieSlome, I have been in contact with Snyk which has published an advisory: https://security.snyk.io/vuln/SNYK-JS-CONVICT-2340604 and has reserved a CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22143

For everyone: all versions of convict from the start up to and including 6.2.1 are vulnerable to prototype pollution. How to fix: Upgrade convict to version 6.2.2 or higher.

[madarche]

Additionally I've contacted the npm team. I'll report here when I have an answer.

[JamieSlome]

@madarche - can we add credit for @arjunshibu and also attach the original report as reference: https://www.huntr.dev/bounties/1-npm-convict

[madarche]

@JamieSlome I've just added credit for @arjunshibu in the advisory! Sorry for the omission, I tried to credit everyone, but I missed @arjunshibu! Sorry! But now it's fixed!

[JamieSlome]

Amazing, thank you so much! 👍

No apologies needed - really appreciate your time and effort on this issue.

[madarche]

So to be complete on this, here is the published security advisory: GHSA-x2w5-725j-gf2g

This advisory can be found independently from the Security tab of the project, but it's best to have a direct explicit link from here. Thanks to everyone involved!

[madarche]

I'm sorry to announce that the prototype pollution vulnerability was not fully fixed in the previous release either ☹️ Snyk Security team spotted a remaining flaw, thanks a lot. I should have thought of those cases too, sorry for that 😕

convict@6.2.3 has this vulnerability fixed and has been published to NPM.

The security advisory GHSA-x2w5-725j-gf2g has also been updated to state that all versions previous to 6.2.3 are vulnerable.

On the code side, the one and only good solution is of course to use Maps instead of Objects, but I really haven't anytime for this refactoring at this moment. But we should be safe with this last fix until this refactoring.