Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Fix for Prototype Pollution - huntr.dev #38

Merged
merged 2 commits into from
Nov 14, 2020

Conversation

huntr-helper
Copy link

https://huntr.dev/users/alromh87 has fixed the Prototype Pollution vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/merge/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-merge

⚙️ Description *

js.merge package is vulnerable to prototype pollution issue

💻 Technical Description *

Fixed by adding missing magical attributes, to filter.
- if (key === '__proto__'){
+ if (key === '__proto__' || key === 'constructor' || key === 'prototype'){

🐛 Proof of Concept (PoC) *

  1. Install the package, run the below code:
var mergelib = require('merge');
var obj = mergelib({}, JSON.parse('{ "testProperty": "hi", "prototype" : { "status" : "pwned!" } }'));
console.log(obj.prototype.status);

Outputs: pwned.

🔥 Proof of Fix (PoF) *

After fix prototype.status is undefined

👍 User Acceptance Testing (UAT)

After fix functionality is unafected

@JamieSlome
Copy link
Contributor

JamieSlome commented Oct 23, 2020

@yeikos @zeke - let me know if you have any thoughts or questions regarding the fix.

Cheers! 🍰

@yeikos yeikos merged commit f571887 into swordev:master Nov 14, 2020
This was referenced Dec 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants