Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Fix for Prototype Pollution - huntr.dev #121

Merged
merged 2 commits into from
Mar 29, 2021

Conversation

huntr-helper
Copy link
Contributor

@zpbrent (https://huntr.dev/users/zpbrent) has fixed a potential Prototype Pollution vulnerability in your repository 🔨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...

Q | A
Version Affected | *
Bug Fix | YES
Original Pull Request | 418sec#1

If you are happy with this disclosure, we would love to get a CVE assigned to the vulnerability. Feel free to credit @zpbrent, the discloser found in the bounty URL (below) and @huntr-helper.

User Comments:

📊 Metadata *

mquery is aware of the risk of prototype pollution in its exported functions cloneObject() and merge() and readily present protection by checking the key in var specialProperties = ['__proto__', 'constructor', 'prototype']. However, the current protection misses to protect another exported function mergeClone(). As a result, the latest version 3.2.4 is still vulnerable to prototype pollution.

Bounty URL: https://www.huntr.dev/bounties/1-npm-mquery/

⚙️ Description *

Filter out specialProperties = ['__proto__', 'constructor', 'prototype'] .

💻 Technical Description *

Place the protection code in mergeClone():
if (specialProperties.indexOf(key) !== -1) { continue; }

🐛 Proof of Concept (PoC) *

// PoC.js version of mquery is 3.2.4
mquery = require('mquery');
var malicious_payload = '{"__proto__":{"polluted":"HACKED"}}';
console.log('Before:', {}.polluted); // undefined
mquery.utils.mergeClone({}, JSON.parse(malicious_payload));
console.log('After:', {}.polluted); // HACKED

🔥 Proof of Fix (PoF) *

// PoC.js version of mquery is 3.2.4
mquery = require('mquery');
var malicious_payload = '{"__proto__":{"polluted":"HACKED"}}';
console.log('Before:', {}.polluted); // undefined
mquery.utils.mergeClone({}, JSON.parse(malicious_payload));
console.log('After:', {}.polluted); // undefined

👍 User Acceptance Testing (UAT)

N/A

🔗 Relates to...

https://www.huntr.dev/bounties/1-npm-mquery/

zpbrent and others added 2 commits March 17, 2021 21:26
Security Fix for Prototype Pollution in mquery
Copy link
Member

@vkarpov15 vkarpov15 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 👍

Just to alleviate concerned readers, this does not affect Mongoose, Mongoose has its own mergeClone() that was fixed in Automattic/mongoose@22ad62a

@vkarpov15 vkarpov15 merged commit 158f059 into mongoosejs:master Mar 29, 2021
vkarpov15 added a commit to Automattic/mongoose that referenced this pull request Mar 29, 2021
This was referenced Mar 31, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants