-
Notifications
You must be signed in to change notification settings - Fork 2
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 😄 🍰
Not sure if it's better returning the not modified
object instead of a error
though 👍
Cheers,
Mik
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll echo what @Mik317 said regarding throwing an error vs returning the unmodified object, but despite that matter of opinion, the fix itself looks good to me.
Thanks for the reviews, I choosed throw emulating library behaviour https://github.com/418sec/json-ptr/blob/master/src/util.ts#L158-L164 Neverteless sent PR that will not throw #2 |
Thanks for the fix! In this case it looks like the upstream repo has merged in a fix last night. Cheers 👍 |
In this case I want to point out that fix has been submited 4 days before upstream |
@alromh87 - because the fix has already been made upstream, we won't merge this in, however, we can offer you some credits for your diligence! Cheers! 🍰 |
Sorry alromh87, we enjoyed reviewing your fix but it has not been selected this time. If this bounty has not been closed, please feel free to try again with a new pull request! We appreciate your effort and look forward to reviewing more of your fixes in the future! 🔨😎 |
@JamieSlome I understand your point, but I would argue that this fix was posted 4 days before it was merged upstream and 2 days before the merged commit, also calls my attention the exact same words used for the throw. Its the same charcater by character... So citing another huntr "I feel it was stolen from me". 😞 |
@alromh87 - Let me have a look into this and I will get back to you here. Cheers! 🍰 |
@JamieSlome any news on the matter? |
@alromh87 - apologies for the delay! Unfortunately, we can't award the fix, but we will make sure to be more aware of this case in the future to prevent this from happening again. Cheers! 🍰 |
📊 Metadata *
json-ptr
is vulnerable toPrototype Pollution
.This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE.
Bounty URL: https://www.huntr.dev/bounties/1-npm-json-ptr/
⚙️ Description *
Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects.
JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype.
An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.
Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain.
💻 Technical Description *
Fixed by avoiding setting magical attributes.
🐛 Proof of Concept (PoC) *
Same result can be achieved with next poc, the proposed fix also handles this case:
🔥 Proof of Fix (PoF) *
After fix execution will block prototype pollution and throw an exception
👍 User Acceptance Testing (UAT)
After fix functionality is unafected