Created
August 30, 2021 06:44
-
-
Save inkz/6bc04595bba8094a25ccf076b4fcd209 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rules: | |
| - id: prototype-pollution-assignment | |
| languages: | |
| - javascript | |
| - typescript | |
| message: | | |
| Possibility of prototype polluting assignment detected. | |
| By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. | |
| This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). | |
| Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object. | |
| metadata: | |
| cwe: 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' | |
| category: security | |
| references: | |
| - https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf | |
| severity: WARNING | |
| patterns: | |
| - pattern: | | |
| $X[$B] = ... | |
| - pattern-inside: | | |
| $X = $SMTH[$A] | |
| ... | |
| - pattern-not-inside: | | |
| if (<...'constructor' ...>) { | |
| ... | |
| } | |
| - pattern-not-inside: | | |
| if (<...'__proto__' ...>) { | |
| ... | |
| } | |
| - metavariable-pattern: | |
| metavariable: $A | |
| patterns: | |
| - pattern-not: '"..."' | |
| - pattern-not: | | |
| ($A: float) | |
| - metavariable-pattern: | |
| metavariable: $B | |
| patterns: | |
| - pattern-not: '"..."' | |
| - pattern-not: | | |
| ($B: float) | |
| - id: prototype-pollution-function | |
| languages: | |
| - javascript | |
| - typescript | |
| mode: taint | |
| metadata: | |
| cwe: 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' | |
| category: security | |
| references: | |
| - https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf | |
| severity: WARNING | |
| message: | | |
| Possibility of prototype polluting function detected. | |
| By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. | |
| This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). | |
| Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object. | |
| pattern-sources: | |
| - pattern-either: | |
| - patterns: | |
| - pattern: $SOURCE[$B] | |
| - pattern-not: $SOURCE["..."] | |
| - pattern-not: | | |
| $SOURCE[($B: float)] | |
| - pattern: function $X(..., $SOURCE, ...) { ... } | |
| pattern-sinks: | |
| - patterns: | |
| - pattern: $TARGET[$A] = ... | |
| - pattern-not: $TARGET["..."] = ... | |
| - pattern-not: | | |
| $TARGET[($A: float)] = ... | |
| - pattern-not-inside: | | |
| if (<... $TARGET.hasOwnProperty($A) ...>) { | |
| ... | |
| } | |
| - pattern-either: | |
| - pattern-inside: | | |
| $NAME = function $F(...) { | |
| ... | |
| $NAME(...) | |
| ... | |
| } | |
| - pattern-inside: | | |
| function $NAME(...) { | |
| ... | |
| $NAME(...) | |
| ... | |
| } | |
| - pattern-inside: | | |
| function $NAME(...) { | |
| ... | |
| $THIS.$NAME(...) | |
| ... | |
| } | |
| - pattern-inside: | | |
| function $NAME(...) { | |
| ... | |
| $NAME.call(...) | |
| ... | |
| } | |
| pattern-sanitizers: | |
| - patterns: | |
| - pattern: | | |
| if (<...'constructor' ...>) { | |
| ... | |
| } | |
| ... | |
| - pattern: | | |
| if (<...'__proto__' ...>) { | |
| ... | |
| } | |
| ... | |
| - id: prototype-pollution-loop | |
| languages: | |
| - typescript | |
| - javascript | |
| message: | | |
| Possibility of prototype polluting function detected. | |
| By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. | |
| This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). | |
| Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object. | |
| metadata: | |
| cwe: 'CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes' | |
| category: security | |
| references: | |
| - https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf | |
| severity: WARNING | |
| patterns: | |
| - pattern-either: | |
| - pattern: | | |
| $SMTH = $SMTH[$A] | |
| - pattern: | | |
| $SMTH = $SMTH[$A] = ... | |
| - pattern: | | |
| $SMTH = $SMTH[$A] && $Z | |
| - pattern: | | |
| $SMTH = $SMTH[$A] || $Z | |
| - pattern-either: | |
| - pattern-inside: | | |
| for(...) { | |
| ... | |
| } | |
| - pattern-inside: | | |
| while(...) { | |
| ... | |
| } | |
| - pattern-inside: | | |
| $X.forEach(function $NAME(...) { | |
| ... | |
| }) | |
| - pattern-not-inside: | | |
| for(var $A = $S; ...; ...) {...} | |
| - pattern-not-inside: | | |
| for($A = $S; ...; ...) {...} | |
| - pattern-not-inside: | | |
| $X.forEach(function $NAME($OBJ, $A,...) {...}) | |
| - metavariable-pattern: | |
| metavariable: $A | |
| patterns: | |
| - pattern-not: '"..."' | |
| - pattern-not: | | |
| ($A: float) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment