vigour-io / unflatten

Opposite of flatten-obj
ISC License
2 stars 2 forks source link

Fix Prototype Pollution #2

Open alromh87 opened 4 years ago

alromh87 commented 4 years ago

unflatten is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior using a __proto__ payload, which may result in Information Disclosure/DoS/RCE.

βš™οΈ Description *

Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain.

πŸ’» Technical Description *

Fixed by avoiding setting magical attributes, by sanitizing path before sending to loadash

πŸ› Proof of Concept (PoC) *

  1. Install the package(npm i unflatten), run the below code:
var unflatten = require("unflatten")
unflatten({'__proto__.polluted': true});
console.log(polluted); 

Outputs true.

unflattenPOC

πŸ”₯ Proof of Fix (PoF) *

After fix execution returns: polluted is not defined

πŸ‘ User Acceptance Testing (UAT)

After fix functionality is unafected

coveralls commented 4 years ago

Coverage Status

Coverage remained the same at 100.0% when pulling 36db524f858146ab55c4a39bbd92be5867870bd1 on alromh87:master into 90ff41bc6542eb2147d0bc7cac08eda004f8a0c2 on vigour-io:master.

miketheprogrammer commented 3 years ago

I personally think that the risk is mainly in passing data that has not been sanitized. We could rewrite this PR to offer an option to sanitize unsafe parameters. Otherwise prototype modification is a regular part of life and if some creative person wants to use unflatten in this way they should be able to.