fix: prototype pollution vulnerability in extend (CVE-2024-45435)#1433
fix: prototype pollution vulnerability in extend (CVE-2024-45435)#1433dangreen merged 3 commits intochartist-js:mainfrom
Conversation
|
Hi @andersk , Thank you for your feedback regarding the report. I would like to highlight an additional prototype accessor:
Checking for the presence of Best, |
andersk
force-pushed
the
proto
branch
2 times, most recently
from
4801823 to
17cffef
Compare
Nope, it’s not. extend({}, {"hasOwnProperty": {"polluted": "yes"}});
console.log(Object.prototype.hasOwnProperty.polluted); // → yesI’ve pushed a more complete fix. |
andersk
force-pushed
the
proto
branch
4 times, most recently
from
6745108 to
12b84bd
Compare
|
Please merge this fix as it's a severity score is high. |
| const source = sources[i]; | ||
| const targetProto = Object.getPrototypeOf(target); | ||
| for (const prop in source) { | ||
| if (targetProto !== null && prop in targetProto) { |
There was a problem hiding this comment.
I propose the following change for this line:
if (prop === "__proto__" || prop === "constructor" || (targetProto !== null && prop in targetProto)) {
See: https://codeql.github.com/codeql-query-help/javascript/js-prototype-pollution-utility/
There was a problem hiding this comment.
Your change isn’t necessary because both __proto__ and constructor are already skipped by targetProto !== null && prop in targetProto.
| @@ -11,7 +11,11 @@ export function extend<T, A, B>(target: T, a: A, b: B): T & A & B; | |||
| export function extend(target: any = {}, ...sources: any[]) { | |||
There was a problem hiding this comment.
All usage cases are where first argument is empty object. We can rename extend to merge, remove first argument, and as target use Object.create(null).
I can fix it by myself later on next week
There was a problem hiding this comment.
seems that @andersk might not be able to help here
There was a problem hiding this comment.
No I agree in principle, but here’s the problem: Chartist.extend is part of the public API of this package, and if we bump the semver major version to remove it, that’s going to take years to propagate through the ecosystem…
https://github.com/orgs/community/discussions/142581 Signed-off-by: Anders Kaseorg <andersk@mit.edu>
|
@andersk You should run "update storyshots" action manually in your fork. Then download artifacts and update screenshots in your branch. |
This comment was marked as resolved.
This comment was marked as resolved.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
Fixes chartist-js#1427. https://nvd.nist.gov/vuln/detail/CVE-2024-45435 https://gist.github.com/tariqhawis/c67177164d3b7975210caddb25b60d62 Signed-off-by: Anders Kaseorg <andersk@mit.edu>
This comment was marked as resolved.
This comment was marked as resolved.
6 participants
https://nvd.nist.gov/vuln/detail/CVE-2024-45435
https://gist.github.com/tariqhawis/c67177164d3b7975210caddb25b60d62