Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

__proto__ vulnerability #533

Closed
KSXGitHub opened this issue Feb 1, 2020 · 1 comment
Closed

__proto__ vulnerability #533

KSXGitHub opened this issue Feb 1, 2020 · 1 comment

Comments

@KSXGitHub
Copy link

KSXGitHub commented Feb 1, 2020
edited
Loading 

const { load, safeLoad } = require('js-yaml')
const yamlText = '__proto__: { evil: true }'
const a = load(yamlText)
const b = safeLoad(yamlText)
console.log(a.evil, b.evil)

Expect: undefined undefined
Received: true true

If I use js-yaml to process user's input, it would allow malicious users to inject object prototype into my server.
@puzrin
Copy link
Member

puzrin commented Feb 1, 2020

  1. This dupes Object properties should be created using defineProperty #164.
  2. This is NOT vulnerability, because does not affects other objects.

@puzrin puzrin closed this as completed Feb 1, 2020
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@puzrin @KSXGitHub