Fix prototype pollution in utilities.js #301
Conversation
|
It is funny that I was, just right now, writing a fix for this. I'll just comment here instead. As you mention, the It is probably also a good idea to use I disagree on the low-impact issue, and this can become real bad with certain flags. So it is probably sensible to get the patch and security advisory quickly. Cheers, |
| @@ -79,13 +79,13 @@ const buildOptions = function() { | |||
| const buildFields = (instance, field, value) => { | |||
| // Do nothing if value is not set. | |||
| if (value === null || value === undefined) return instance; | |||
| instance = instance || {}; | |||
| instance = instance || Object.create(null); | |||
| // Non-array fields | |||
There was a problem hiding this comment.
I would add an isSafeFromPollution(instance, field) check right here. And move https://github.com/richardgirges/express-fileupload/blob/master/lib/processNested.js#L24-L27 into a function exported by utilities.
|
That sounds pretty reasonable, let me take a look at that now |
|
Thank you very much for taking the time on this! This is a high priority, so I'm interested in getting this merged soon. Agree with @cgvwzq's feedback. Additionally, if you wouldn't mind, can you double-check that linting and tests are passing? CircleCI is temporarily disconnected so I'm merging blind. |
|
Here's an update that hopefully makes the checks more robust. There are, naturally, some more edge cases due to this being fundamentally challenging to determine correctly, but I think the weird behavior should be effectively documented in the test I added. Also regarding tests, I'm having trouble running some of the unrelated tests on my machine, so I'll need a minute or two more to verify that they're passing correctly. |
|
Ahh ok, this might actually be a regression in This is probably largely undetected because most modern code will be using the promise interface which naturally silences duplicate calls to Since I would imagine you would like to have the tests passing, I'm happy to submit a separate PR that addresses this. |
|
For cleanliness' sake I moved this into a separate PR: #302 Once merged (or rebased) on top of that one, this PR should have passing tests/lints. |
|
That looks good to me. Thanks a lot @zwade :) |
|
Glad I could help! |
|
Thank you @zwade! v1.3.1 published on NPM https://github.com/richardgirges/express-fileupload/releases/tag/v1.3.1 |
Hi! Last weekend I found a low-impact prototype pollution in this module. It's only problematic in conjunction with certain antipatterns, but it is probably good to fix if possible. This PR makes a change that will fix it under normal usage, along with a few tests to verify that it remains fixed.
A couple of caveats, the first being that it will not address the problem if the caller manually sets
req.files(orreq.body) to an object. In this case, however, it is less trivial to determine what the correct behaviour should be, so I did not attempt to address it.Secondly, this diff is a bit messy because VSCode decided to trim extra whitespace in a couple of places. If that's an issue, please let me know and I can manually revert those.
Thanks!
Zach