Prototype Pollution Vulnerability Affecting requirejs@2.3.6 module

requirejs / r.js

Runs RequireJS in Node and Rhino, and used to run the RequireJS optimizer

Other

2.57k stars 674 forks source link

Prototype Pollution Vulnerability Affecting requirejs@2.3.6 module #1015

Closed tariqhawis closed 1 month ago

tariqhawis commented 4 months ago

Details sent directly to the maintainer

vtulse commented 3 months ago

Team any update on this issues

artola commented 1 month ago

@jrburke It would be possible and cheap to sanitize the config, it is only 1 place to fix.

https://github.com/requirejs/r.js/blob/acec5366eb9094e670b6d1a87457634e74d6384e/require.js#L1283

function sanitize(obj) {
  if (obj && typeof obj === 'object') {
    if (obj.hasOwnProperty('__proto__')) {
      delete obj.__proto__;
    }

    for (const key in obj) {
      if (obj.hasOwnProperty(key) && typeof obj[key] === 'object') {
        sanitize(obj[key]);
      }
    }
  }
}

...

            configure: function (cfg) {
               sanitize(cfg);

prantlf commented 1 month ago

EDITED

Initially, I couldn't reproduce this vulnerability using the example code. When looking at the code, I saw functions hasProp, getOwn, eachProp, mixin, which allow only own properties accessed. If you copy own properties from one object to another one, they will not be placed to the prototype.

I couldn't reproduce the vulnerability using my fork. I didn't notice that I was testing with that version. I could reproduce it using the official require.js 2.3.6.

jrburke commented 1 month ago

This should be fixed in 2.3.7: https://github.com/requirejs/requirejs/issues/1854