Closed lelecolacola123 closed 1 year ago
anlesk
commented
1 year ago This one got closed, but pops up in the CVE reports: https://nvd.nist.gov/vuln/detail/CVE-2023-26102 With no fix available. Was it actually got fixed or the CVE report is incorrect? cc: @timdown @lelecolacola123
lelecolacola123
commented
1 year ago Hi, the problem is still there, please fix it, if you need ,i will reopen the issue
krzysztof-osiecki
commented
1 year ago If i understand the POC then the 1.3.1 version is not affected by this issue. Testing that against 1.3.1 prints undefined for both console.logs. However i don't see any lines of code changed in pointed method since 2014. Was it false positive? Or maybe solved on the browser side. Tested on current versions of chrome, edge, ff and safari.
zpbrent
commented
10 months ago Hi @krzysztof-osiecki
The PoC above should be "BADJSON = JSON.parse('{"__proto__":{"test":123}}');", where the "__proto__" has "__" before and after the "proto", but it looks like the original PoC directly writes "_\" and can be incorrectly parsed as the bold format by the GitHub mark-ups. Please try the PoC below in your browsers again. I have tried this on the latest chrome with rangy 1.3.1 and can successfully reproduce this issue:
BAD_JSON = JSON.parse('{"__proto__":{"test":123}}');
console.log({}.test) //undefined
rangy.util.extend({},BAD_JSON,{})
console.log({}.test) //"123"If i understand the POC then the 1.3.1 version is not affected by this issue. Testing that against 1.3.1 prints undefined for both console.logs. However i don't see any lines of code changed in pointed method since 2014. Was it false positive? Or maybe solved on the browser side. Tested on current versions of chrome, edge, ff and safari.
krzysztof-osiecki
commented
10 months ago @zpbrent in my app on chrome 119.0.6045.200 it still does not behave like described. Second console.log still prints undefined. However executing this extend does break jquery on the page for some reason, so something is wrong it seems.
zpbrent
commented
10 months ago Hi @krzysztof-osiecki I run the PoC in my Chrome with the same version (119.0.6045.200) as yours but in the Windows 10 OS.
I have also attached a video to show how I reproduce the PoC: https://github.com/timdown/rangy/assets/834641/a5eafb5b-6521-4b00-88b0-fd6ccbecfd79
Hopes it can help you identify the issue on your side :-)
krzysztof-osiecki
commented
10 months ago Sure, i did the same thing on my site and got different behavior. Maybe its about the way rangy is added to my site. Just to clarify so that we are on the same page. I'm NOT rangy developer i just stumbled upon this issue while trying to clear vulnerabilities in my own project.
zpbrent
commented
10 months ago Hi @krzysztof-osiecki There is no official fix for this vulnerability currently, but some others fix it in their forked branch at https://github.com/FL3XX-dev/rangy. If you are concerned about the vulnerability in your projects, using the fixed version from FL3XX-dev may be an option.
Affected versions of this package are vulnerable to Prototype Pollution. Rangy runs the risk of Prototype Pollution when using the function extend in file rangy-core.js.The function use recursive mergelead an attacker to modify properties of the Object.prototype.the risk locate is in here:https://github.com/timdown/rangy/blob/8aea7eb14b31d9c7240ce539544bef9337a8b597/lib/rangy-core.js#L167 https://github.com/timdown/rangy/blob/8aea7eb14b31d9c7240ce539544bef9337a8b597/lib/rangy-core.js#L165 and the POC is as follow: var rangy= require("rangy") BAD_JSON = JSON.parse('{"proto":{"test":123}}'); console.log({}.test) //undefined rangy.util.extend({},BAD_JSON,{}) console.log({}.test) //"123"