Prototype Pollution Vulnerability Affecting requirejs@2.3.6 module

[tariqhawis]

Details sent directly to the maintainer

[vtulse]

Team any update on this issues

[artola]

@jrburke It would be possible and cheap to sanitize the config, it is only 1 place to fix.

r.js/require.js

Line 1283 in acec536

//Make sure the baseUrl ends in a slash.

function sanitize(obj) {
  if (obj && typeof obj === 'object') {
    if (obj.hasOwnProperty('__proto__')) {
      delete obj.__proto__;
    }

    for (const key in obj) {
      if (obj.hasOwnProperty(key) && typeof obj[key] === 'object') {
        sanitize(obj[key]);
      }
    }
  }
}

...

            configure: function (cfg) {
               sanitize(cfg);

[prantlf]

EDITED

Initially, I couldn't reproduce this vulnerability using the example code. When looking at the code, I saw functions hasProp, getOwn, eachProp, mixin, which allow only own properties accessed. If you copy own properties from one object to another one, they will not be placed to the prototype.

I couldn't reproduce the vulnerability using my fork. I didn't notice that I was testing with that version. I could reproduce it using the official require.js 2.3.6.

[jrburke]

This should be fixed in 2.3.7: requirejs/requirejs#1854