Skip to content
This repository was archived by the owner on Dec 19, 2023. It is now read-only.

Security fix for prototype pollution #1

Merged
merged 1 commit into from
Jan 13, 2021
Merged

Security fix for prototype pollution #1

merged 1 commit into from
Jan 13, 2021

Conversation

arjunshibu
Copy link

@arjunshibu arjunshibu commented Nov 23, 2020
edited by JamieSlome
Loading

📊 Metadata *

convict is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE.

Bounty URL: https://www.huntr.dev/bounties/1-npm-convict

⚙️ Description *

Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects.
JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype.
An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain.

💻 Technical Description *

Fix implemented by not allowing to modify object prototype.

🐛 Proof of Concept (PoC) *

  • Create the following PoC file:
// poc.js
var convict = require("convict");
var obj = {};
var config = convict(obj);
console.log("Before : " + {}.polluted);
config.set("__proto__.polluted","Yes! Its Polluted");
console.log("After : " + {}.polluted);
  • Execute the following commands in another terminal:
npm i convict # Install affected module
node poc.js #  Run the PoC
  • Check the Output:
Before : undefined
After : Yes! Its Polluted

🔥 Proof of Fix (PoF) *

Prototype pollution is fixed as seen below.

pof_fix

👍 User Acceptance Testing (UAT)

  • I've executed unit tests.
  • After fix the functionality is unaffected.

@arjunshibu arjunshibu mentioned this pull request Dec 6, 2020
Closed
7 tasks
@JamieSlome
Copy link

@madarche - it would be good to get your thoughts here, thanks! 🍰

We also have proposed:

#2 & #3

@JamieSlome JamieSlome requested a review from mzfr December 16, 2020 14:17
Mik317
Mik317 approved these changes Dec 28, 2020
View reviewed changes
Copy link

@Mik317 Mik317 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 😄 🍰

Cheers,
Mik

mzfr
mzfr approved these changes Dec 28, 2020
View reviewed changes
Copy link

@mzfr mzfr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good 👍

@JamieSlome JamieSlome merged commit 180d692 into 418sec:master Jan 13, 2021
@huntr-helper huntr-helper mentioned this pull request Jan 13, 2021
Merged
@huntr-helper
Copy link

Congratulations arjunshibu - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section, or hit us up on Discord. Your bounty is on its way - keep hunting!

Come join us on Discord

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bbeale bbeale Awaiting requested review from bbeale

@mufeedvh mufeedvh Awaiting requested review from mufeedvh

2 more reviewers

@mzfr mzfr mzfr approved these changes

@Mik317 Mik317 Mik317 approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@arjunshibu @JamieSlome @huntr-helper @mzfr @Mik317