Skip to content

Security Fix for Two Prototype Pollution - huntr.dev#2

Open
huntr-helper wants to merge 6 commits intonathan7:masterfrom
418sec:master
Open

Security Fix for Two Prototype Pollution - huntr.dev#2
huntr-helper wants to merge 6 commits intonathan7:masterfrom
418sec:master

Conversation

@huntr-helper
Copy link

@huntr-helper huntr-helper commented Apr 24, 2020
edited
Loading

Fix 1

https://huntr.dev/app/users/mufeedvh has fixed a security vulnerability (Prototype Pollution) 🔨. mufeedvh has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this? Get involved at https://huntr.dev/!

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#2

Fix 2

https://huntr.dev/app/users/bbeale has fixed the Prototype Pollution vulnerability 🔨. @bbeale has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#3
GitHub Issue URL | #4
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/fun-map/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/app/bounties/open/1-npm-fun-map

⚙️ Description *

fun-map is a utility to help simulate Clojure like functional programming in JavaScript. The package is vulnerable to Prototype Pollution. The function assocInM could be taken advantage of by adding or modifying properties of Object.prototype using a proto payload.

💻 Technical Description *

The mitigation was to freeze the prototype of the object created in assocInM. This will prevent unintended or malicious modifications by removing the ability to add or remove properties to the prototype at all.

🐛 Proof of Concept (PoC) *

var a = require("fun-map");
a.assocInM({},["proto","toString"],"JHU");
console.log({}.toString);

🔥 Proof of Fix (PoF) *

function assocInM(obj, keys, value) {
  /*
    `Object.create()` to set the object to not have any prototype
    to prevent prototype pollution attacks
  */
  obj = Object.create(obj)
  Object.freeze(obj.prototype)

  var ret = obj
    , key

  for (var i = 0, len = keys.length; i < (len - 1); i++) {
    key = keys[i]
    obj = obj[key] || (obj[key] = {})
  }

  key = keys[i]
  obj[key] = value

  return ret
}

@huntr-helper huntr-helper changed the title huntr.dev - Prototype Pollution Fix Security Fix for Two Prototype Pollution - huntr.dev Jul 29, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@huntr-helper @mufeedvh @bbeale @JamieSlome