Skip to content
This repository has been archived by the owner on Dec 19, 2023. It is now read-only.

Fix Prototype Pollution #2

Merged
merged 2 commits into from
Oct 22, 2020
Merged

Fix Prototype Pollution #2

merged 2 commits into from
Oct 22, 2020

Conversation

alromh87
Copy link

@alromh87 alromh87 commented Oct 22, 2020
edited by JamieSlome
Loading

📊 Metadata *

fast-json-patch is vulnerable to Prototype Pollution.
This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE.

Bounty URL: https://www.huntr.dev/bounties/1-npm-fast-json-patch

⚙️ Description *

Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects.
JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype.
An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.
Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain.

💻 Technical Description *

Fixed by avoiding setting missing magical attributes.

🐛 Proof of Concept (PoC) *

  1. Create the following PoC file:
// poc.js
let fastjsonpatch = require("fast-json-patch");
function A() {}
let a = new A();
let b = new A();
console.log("Before : " + a.polluted);
console.log("Before : " + b.polluted);
const patch = [{op: "replace", path: "/constructor/prototype/polluted", value: "Yes! Its Polluted"}];
fastjsonpatch.applyPatch(a, patch);
console.log("After : " + a.polluted);
console.log("After : " + b.polluted);
  1. Execute the following commands in another terminal:
npm i fast-json-patch # Install affected module
node poc.js #  Run the PoC
  1. Check the Output:
Before : undefined
Before : undefined
After : Yes! Its Polluted
After : Yes! Its Polluted

Captura de pantalla de 2020-10-22 13-56-22

🔥 Proof of Fix (PoF) *

After fix and exception will be thrown

Captura de pantalla de 2020-10-22 13-55-23

👍 User Acceptance Testing (UAT)

After fix functionality is unafected

@ghost ghost requested a review from JamieSlome October 22, 2020 10:58
@ghost ghost mentioned this pull request Oct 22, 2020
Closed
@JamieSlome JamieSlome merged commit c397b6f into 418sec:master Oct 22, 2020
@huntr-helper huntr-helper mentioned this pull request Oct 22, 2020
Merged
@huntr-helper
Copy link

Congratulations alromh87 - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section, or hit us up on Discord. Your bounty is on its way - keep hunting!

Come join us on Discord

# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers

@bbeale bbeale Awaiting requested review from bbeale

@Mik317 Mik317 Awaiting requested review from Mik317

@mufeedvh mufeedvh Awaiting requested review from mufeedvh

@toufik-airane toufik-airane Awaiting requested review from toufik-airane

@JamieSlome JamieSlome Awaiting requested review from JamieSlome

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alromh87 @huntr-helper @JamieSlome