If a user provides proto as policy name, behaviour is changed.

Question

If a user provides proto as policy name, behaviour is changed.

pnappa opened this issue 5 months ago · comments

Potential odd effects if an attacker can supply input.

Node 21.6.1:

const parse = require('content-security-policy-parser');

const x = parse("default-src 'self'; __proto__ foobar");
console.log('raw print:', x);
console.log('toString:', x.toString());

Prints:

raw print: Array { 'default-src': [ "'self'" ] }
toString: foobar

This can't really be made into an exploit I think, but I guess it's unusual behaviour?

Suggested fixes: Whitelist the valid CSP policy commands (default-src, etc). Alternatively, you could also block __proto__ and prototype, but the former probably is nicer behaviour (it's handy to have invalid types stripped out). Or, use Object.create(null) instead of {} when you create the result variable.

Evan Hahn · Answer 1 · Fri Jan 26 2024 22:10:48 GMT+0800 (China Standard Time)

Thanks for reporting. I'll fix this soon.

Evan Hahn · Answer 2 · Sat Jan 27 2024 00:13:08 GMT+0800 (China Standard Time)

This has been fixed in content-security-policy-parser@0.5.0. Thanks for reporting!

If a user provides __proto__ as policy name, behaviour is changed.

If a user provides proto as policy name, behaviour is changed.