Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Locale: prevent prototype pollution #6393

Closed
chluo1997 opened this issue Apr 15, 2024 · 3 comments · Fixed by #6395, leoo1992/GeradorQRCode#23 or leoo1992/GeradorQRCode#27
Closed

Locale: prevent prototype pollution #6393

chluo1997 opened this issue Apr 15, 2024 · 3 comments · Fixed by #6395, leoo1992/GeradorQRCode#23 or leoo1992/GeradorQRCode#27
Assignees
@melloware @chluo1997
Labels
Type: Security Issue contains a security problem or enhancement related to a specific component
Milestone
10.6.4

Comments

@chluo1997
Copy link

Describe the bug

The below updateLocaleOption() function uses key as the object index without sanitizing its value. If key is assigned to __proto__ during the execution of unsafe application code, prototype pollution occurs. See prototype pollution.

const updateLocaleOption = (key, value, locale) => {
    localeOptions(locale)[key] = value;
};

Suggested patches:

It is recommended to blacklist attack payloads assigned to key

const updateLocaleOption = (key, value, locale) => {
+  if (key.includes('__proto__') || key.includes('prototype')) {
+      throw new Error('Unsafe key detected');
+  }
    localeOptions(locale)[key] = value;
};

Reproducer

No response

PrimeReact version

10.6.3

React version

18.x

Language

TypeScript

Build / Runtime

Create React App (CRA)

Browser(s)

No response

Steps to reproduce the behavior

No response

Expected behavior

No response
@chluo1997 chluo1997 added the Status: Needs Triage Issue will be reviewed by Core Team and a relevant label will be added as soon as possible label Apr 15, 2024
@melloware melloware added Type: Security Issue contains a security problem or enhancement related to a specific component and removed Status: Needs Triage Issue will be reviewed by Core Team and a relevant label will be added as soon as possible labels Apr 15, 2024
@melloware melloware self-assigned this Apr 15, 2024
@melloware melloware added this to the 10.6.4 milestone Apr 15, 2024
melloware added a commit to melloware/primereact that referenced this issue Apr 15, 2024
@melloware
Fix primefaces#6393: Locale prevent prototype pollution
78b3411
@melloware melloware mentioned this issue Apr 15, 2024
Merged
@melloware
Copy link
Member

See my PR I had to defend it in a few more spots in Locale.

melloware added a commit to melloware/primereact that referenced this issue Apr 15, 2024
@melloware
Fix primefaces#6393: Locale prevent prototype pollution
568b25d
@melloware melloware changed the title A patch to prevent prototype pollution Locale: prevent prototype pollution Apr 15, 2024
@chluo1997
Copy link
Author

See my PR I had to defend it in a few more spots in Locale.

That is great!

@melloware
Copy link
Member

Thanks for the heads up!

melloware added a commit that referenced this issue Apr 15, 2024
@melloware
Fix #6393: Locale prevent prototype pollution (#6395)
3fb2bf1
@melloware melloware mentioned this issue Apr 20, 2024
Closed
This was referenced May 21, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@melloware melloware

@chluo1997 chluo1997

Labels
Type: Security Issue contains a security problem or enhancement related to a specific component
Projects
None yet
Milestone
10.6.4
2 participants
@melloware @chluo1997