Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: 🐛 fix prototype pollution #58

Closed
wants to merge 1 commit into from
Closed

fix: 🐛 fix prototype pollution #58

wants to merge 1 commit into from

Conversation

AdamGold
Copy link

No description provided.

@ghost ghost mentioned this pull request Sep 23, 2020
Closed
7 tasks
@keithamus
Copy link
Member

Hey @AdamGold thanks for making this PR!

I remain unconvinced this is really a security issue. pathval is basically a library implementing = and as such anything you can do with = you can do with pathval.

Additionally, if we were to consider this a security issue, where does the line get drawn? constructor,prototype, & __proto__ are just psuedo protocols like .then or .toString, do we also need to guard against those? Should we guard against methods a user might call, such as .map? It is an intrinsic part of the language that you need to take care that values you pass to functions can be mutated.

See also #57

@AdamGold
Copy link
Author

AdamGold commented Sep 29, 2020
edited
Loading

Hey @keithamus!

I definitely agree that this is a controversial vulnerability. Full disclosure - I work for Snyk, and we have dealt with quite a few of these. I understand your point, I would just like to clarify that the examples you've given - .map or .toString affect the current object, as opposed to __proto__, prototype which could modify global behaviour and cause more severe issues.

I think that this is the main reason for which this PR could be useful, and the line should be drawn there. With that being said, I am fine with you closing this PR if you still think we should not implement these checks.

BTW I can not see the README warning anymore, has it been removed? (edit: sorry did not notice it was not merged!)

@keithamus
Copy link
Member

The README warning was not merged, as no one has approved it yet (it's sitting here: #57).

I'd like to hear from other members of @chaijs/core about this - perhaps @meeber or @lucasfcosta?

@ahippler
Copy link

Any news on this?

@jonthysell jonthysell mentioned this pull request Oct 29, 2020
Closed
@donal-tobin-sap
Copy link

CVE: https://nvd.nist.gov/vuln/detail/CVE-2020-7751

@stfsy stfsy mentioned this pull request Nov 10, 2020
Closed
@stfsy
Copy link

stfsy commented Nov 10, 2020

@meeber or @lucasfcosta could you give an update on this? looks like an improvement to me. so why not merge it?

@deleonio
Copy link
Contributor

deleonio commented Nov 12, 2020
edited
Loading

Thanks @AdamGold - this PR fix the vulnerabilty + tests + dep updates | #60

@deleonio
Copy link
Contributor

Please use PR #60

Because it contains this fix code in addition of tests and needed update tool config for git workflow

@deleonio deleonio mentioned this pull request Nov 17, 2020
Closed
@stfsy
Copy link

stfsy commented Dec 27, 2020

@keithamus as @kckst8 approved this PR. are we ready to merge, release etc..? 🙂

@yahanvesh
Copy link

If someone can review and fix, it will be great!

@keithamus keithamus closed this Jan 26, 2021
@keithamus
Copy link
Member

Released as v1.1.1

@JBallin
Copy link

JBallin commented Jan 27, 2021
edited
Loading

For reference - the fix was merged in #60

@Svetlana-github Svetlana-github mentioned this pull request May 16, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kckst8 kckst8 kckst8 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@AdamGold @keithamus @ahippler @donal-tobin-sap @stfsy @deleonio @yahanvesh @JBallin @kckst8