Information
Package: convict
Version: 6.2.2
Github Repository: https://github.com/mozilla/node-convict/tree/master/packages/convict
Summary
This is a bypass of CVE-2022-22143.
Details
The fix introduced, relies on the startsWith method and does not prevent the vulnerability: before splitting the path, it checks if it starts with __proto__ or this.constructor.prototype. To bypass this check it's possible to prepend the dangerous paths with any string value followed by a dot, like for example foo.__proto__ or foo.this.constructor.prototype.
Below the vulnerable code:
// https://github.com/mozilla/node-convict/blob/3b86be087d8f14681a9c889d45da7fe3ad9cd880/packages/convict/src/main.js#L571
const FORBIDDEN_KEY_PATHS = [
'__proto__',
'this.constructor.prototype',
]
...
set: function(k, v) {
for (const path of FORBIDDEN_KEY_PATHS) {
if (k.startsWith(`${path}.`)) { //<-- foo.__proto__.polluted returns false
return this
}
}
v = coerce(k, v, this._schema, this)
const path = k.split('.')
const childKey = path.pop()
const parentKey = path.join('.')
const parent = walk(this._instance, parentKey, true)
parent[childKey] = v
return this
}PoC
node poc.js
Output:
undefined
polluted1
polluted2
polluted3
polluted4
polluted5Impact
The impact of this vulnerability depends on the application context. In some cases it is possible to achieve Denial of Service (DoS), Remote Code Execution (RCE), Cross-Site Scripting (XSS).
Author
Alessio Della Libera