Open alromh87 opened 4 years ago
I personally think that the risk is mainly in passing data that has not been sanitized. We could rewrite this PR to offer an option to sanitize unsafe parameters. Otherwise prototype modification is a regular part of life and if some creative person wants to use unflatten in this way they should be able to.
unflatten
is vulnerable toPrototype Pollution
. This package allowing for modification of prototype behavior using a__proto__
payload, which may result in Information Disclosure/DoS/RCE.βοΈ Description *
Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain.
π» Technical Description *
Fixed by avoiding setting magical attributes, by sanitizing path before sending to loadash
π Proof of Concept (PoC) *
Outputs true.
π₯ Proof of Fix (PoF) *
After fix execution returns: polluted is not defined
π User Acceptance Testing (UAT)
After fix functionality is unafected