Skip to content
This repository was archived by the owner on Dec 19, 2023. It is now read-only.

Fix Prototype Pollution #2

Closed
mohanl0l wants to merge 1 commit into from
Closed

Fix Prototype Pollution #2

mohanl0l wants to merge 1 commit into from

Conversation

@mohanl0l
Copy link

@mohanl0l mohanl0l commented Nov 23, 2020

✏️ Change Description

📊 Metadata *

convict is vulnerable to Prototype Pollution.
This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE.

Bounty URL: https://www.huntr.dev/bounties/1-npm-convict/

⚙️ Description *

Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects.
JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype.
An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.
Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain.

💻 Technical Description *

Fixed by avoiding setting magical attributes.

🐛 Proof of Concept (PoC) *

  1. Create the following PoC file:
// poc.js
var convict = require("convict");
var obj = {};
var config = convict(obj);
console.log("Before : " + {}.polluted);
config.set("__proto__.polluted","Yes! Its Polluted");
console.log("After : " + {}.polluted);
  1. Execute the following commands in another terminal:
npm i convict # Install affected module
node poc.js #  Run the PoC
  1. Check the Output:
Before : undefined
After : Yes! Its Polluted

convict_vul

🔥 Proof of Fix (PoF) *

After fix execution will block prototype pollution and polluted will be [undefined.]

convict_fix

👍 User Acceptance Testing (UAT)

After fix functionality is unaffected.

🔗 Relates to Issue

Fixes # (418sec/huntr#1232)

@JamieSlome JamieSlome mentioned this pull request Dec 7, 2020
Merged
@JamieSlome JamieSlome requested a review from mzfr December 16, 2020 14:17
Mik317
Mik317 approved these changes Dec 28, 2020
View reviewed changes
Copy link

@Mik317 Mik317 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @gkmrrr 😄
LGTM 🍰
Not sure if it's better returning a null or unmodified object tho. Any suggestion?

Cheers,
Mik

mzfr
mzfr reviewed Dec 28, 2020
View reviewed changes
Copy link

@mzfr mzfr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest returning unmodified object.

@JamieSlome JamieSlome closed this Jan 13, 2021
@huntr-helper
Copy link

huntr-helper commented Jan 13, 2021

Sorry gkmrrr, we enjoyed reviewing your fix but it has not been selected this time. If this bounty has not been closed, please feel free to try again with a new pull request!

We appreciate your effort and look forward to reviewing more of your fixes in the future! 🔨😎

Come join us on Discord

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@bbeale bbeale Awaiting requested review from bbeale

@mufeedvh mufeedvh Awaiting requested review from mufeedvh

2 more reviewers

@mzfr mzfr mzfr left review comments

@Mik317 Mik317 Mik317 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@mohanl0l @huntr-helper @mzfr @Mik317 @JamieSlome