Skip to content
This repository has been archived by the owner on Dec 19, 2023. It is now read-only.

Fix Prototype Pollution #1

Closed
wants to merge 1 commit into from
Closed

Conversation

alromh87
Copy link

@alromh87 alromh87 commented Oct 18, 2020

📊 Metadata *

json-ptr is vulnerable to Prototype Pollution.
This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE.

Bounty URL: https://www.huntr.dev/bounties/1-npm-json-ptr/

⚙️ Description *

Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects.
JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype.
An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.
Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain.

💻 Technical Description *

Fixed by avoiding setting magical attributes.

🐛 Proof of Concept (PoC) *

  1. Create the following PoC file:
// poc.js
var {JsonPointer } = require("json-ptr")
var obj = {}
console.log("Before : " + obj.polluted);
JsonPointer.set(obj,'/__proto__/polluted','Yes! Its Polluted', true);
var obj1 ={}
console.log("After : " + obj1.polluted);
  1. Execute the following commands in another terminal:
npm i json-ptr # Install affected module
node poc.js #  Run the PoC
  1. Check the Output:
Before : undefined
After : Yes! Its Polluted

Captura de pantalla de 2020-10-18 13-00-01

Same result can be achieved with next poc, the proposed fix also handles this case:

var {JsonPointer } = require("./dist/")
var obj = {}
console.log("Before : " + obj.polluted);
JsonPointer.set(obj,'/constructor/prototype/polluted','Yes! Its Polluted', true);
var obj1 ={}
console.log("After : " + obj1.polluted);

🔥 Proof of Fix (PoF) *

After fix execution will block prototype pollution and throw an exception

Captura de pantalla de 2020-10-18 13-00-22

👍 User Acceptance Testing (UAT)

After fix functionality is unafected

@ghost ghost requested a review from JamieSlome October 21, 2020 21:06
Copy link

@Mik317 Mik317 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 😄 🍰
Not sure if it's better returning the not modified object instead of a error though 👍

Cheers,
Mik

Copy link

@bbeale bbeale left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll echo what @Mik317 said regarding throwing an error vs returning the unmodified object, but despite that matter of opinion, the fix itself looks good to me.

@alromh87
Copy link
Author

Thanks for the reviews, I choosed throw emulating library behaviour https://github.com/418sec/json-ptr/blob/master/src/util.ts#L158-L164

Neverteless sent PR that will not throw #2

@ghost
Copy link

ghost commented Oct 22, 2020

Thanks for the fix! In this case it looks like the upstream repo has merged in a fix last night. Cheers 👍

@alromh87
Copy link
Author

In this case I want to point out that fix has been submited 4 days before upstream

@JamieSlome
Copy link

@alromh87 - because the fix has already been made upstream, we won't merge this in, however, we can offer you some credits for your diligence!

Cheers! 🍰

@JamieSlome JamieSlome closed this Nov 2, 2020
@huntr-helper
Copy link

Sorry alromh87, we enjoyed reviewing your fix but it has not been selected this time. If this bounty has not been closed, please feel free to try again with a new pull request!

We appreciate your effort and look forward to reviewing more of your fixes in the future! 🔨😎

Come join us on Discord

@alromh87
Copy link
Author

alromh87 commented Nov 4, 2020

@JamieSlome I understand your point, but I would argue that this fix was posted 4 days before it was merged upstream and 2 days before the merged commit, also calls my attention the exact same words used for the throw. Its the same charcater by character...

https://github.com/flitbit/json-ptr/pull/26/files#diff-3294a832ea2276e554177e0b3007cc2d401c082912c7fbde49fa09141bf1aed1R175-R177

https://github.com/418sec/json-ptr/pull/1/files#diff-3294a832ea2276e554177e0b3007cc2d401c082912c7fbde49fa09141bf1aed1R175-R177

So citing another huntr "I feel it was stolen from me". 😞

@JamieSlome
Copy link

@alromh87 - Let me have a look into this and I will get back to you here.

Cheers! 🍰

@alromh87
Copy link
Author

@JamieSlome any news on the matter?

@JamieSlome
Copy link

@alromh87 - apologies for the delay!

Unfortunately, we can't award the fix, but we will make sure to be more aware of this case in the future to prevent this from happening again.

Cheers! 🍰

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants