If a user provides __proto__ as policy name, behaviour is changed.
pnappa opened this issue · comments
Patrick Nappa commented
Potential odd effects if an attacker can supply input.
Node 21.6.1:
const parse = require('content-security-policy-parser');
const x = parse("default-src 'self'; __proto__ foobar");
console.log('raw print:', x);
console.log('toString:', x.toString());
Prints:
raw print: Array { 'default-src': [ "'self'" ] }
toString: foobar
This can't really be made into an exploit I think, but I guess it's unusual behaviour?
Suggested fixes: Whitelist the valid CSP policy commands (default-src
, etc). Alternatively, you could also block __proto__
and prototype
, but the former probably is nicer behaviour (it's handy to have invalid types stripped out). Or, use Object.create(null)
instead of {}
when you create the result
variable.
Evan Hahn commented
Thanks for reporting. I'll fix this soon.
Evan Hahn commented
This has been fixed in content-security-policy-parser@0.5.0
. Thanks for reporting!