search

sonnyp / JSON8

JSON toolkit for JavaScript.
ISC License
104 stars 13 forks source link

pointer: fix prototype pollution #117

Closed luci-m-666 closed 3 years ago

luci-m-666 commented 3 years ago

json8-patch and json8-pointer is vulnerable to prototype pollution. POC json8-patch

var json8Patch = require("json8-patch")
var obj = {}
const patch = [{op: "add", path: "/__proto__/polluted", value: "Yes! Its Polluted"}];
console.log("Before : " + obj.polluted);
json8Patch.apply(obj, patch);
console.log("After : " + {}.polluted);

json8-pointer

var json8Pointer = require("json8-pointer")
json8Pointer.unflatten({"": {},"/firstName": "John", "/__proto__/polluted": "Yes! Its Polluted"});
console.log({}.polluted)

OUTPUT

Before : undefined
After : Yes! Its Polluted

With this fix prototype pollution can be avoided.

sonnyp commented 3 years ago

Thank you.

Made some changes and added tests.

sonnyp commented 3 years ago

released and published as 1.0.4