Skip to content

fix: Address prototype pollution vulnerability in merge function#12

Merged
Swaagie merged 2 commits into
bigpipe:masterfrom
ohad2712:fix/address-prototype-pollution-vulnerablity-in-merge-function
Jan 30, 2022
Merged

fix: Address prototype pollution vulnerability in merge function#12
Swaagie merged 2 commits into
bigpipe:masterfrom
ohad2712:fix/address-prototype-pollution-vulnerablity-in-merge-function

Conversation

@ohad2712
Copy link
Copy Markdown
Contributor

@ohad2712 ohad2712 commented Jul 5, 2021

I have verified that this lib's merge function has a Prototype Pollution vulnerability in predefine.

The vulnerable code: https://github.com/bigpipe/predefine/blob/0.1.2/index.js#L263-L294

PoC (Before):

const predefine = require('predefine');
predefine.merge({}, JSON.parse('{"__proto__": {"a": "b"}}'));

console.log(({}).a === 'b' ? 'exploitable' : 'unexploitable'); // exploitable

This PR edits the vulnerable place, and adds a test to make sure it is unexploiable.

@Kirill89 Kirill89 mentioned this pull request Jul 6, 2021
Merged
2 tasks
@lpinca lpinca mentioned this pull request Nov 13, 2021
Closed
@davedoesdev
Copy link
Copy Markdown

davedoesdev commented Dec 7, 2021

Seems sensible

@davedoesdev
Copy link
Copy Markdown

davedoesdev commented Jan 23, 2022

FYI: Published as @davedoesdev/predefine@0.1.3

lpinca
lpinca reviewed Jan 23, 2022
View reviewed changes
Comment thread index.js Outdated
@lpinca
Copy link
Copy Markdown
Contributor

lpinca commented Jan 23, 2022

@Swaagie can you merge this and cut a new release if @3rd-Eden is ok with it?

@lpinca
Copy link
Copy Markdown
Contributor

lpinca commented Jan 23, 2022

Also CCing: @indexzero

@lpinca
Copy link
Copy Markdown
Contributor

lpinca commented Jan 30, 2022

@jcrugzz ?

@Swaagie @lpinca
Update index.js
045c1c7 
Co-authored-by: Luigi Pinca <luigipinca@gmail.com>
@Swaagie Swaagie merged commit 1a86a01 into bigpipe:master Jan 30, 2022
@MateuszKikmunter
Copy link
Copy Markdown

MateuszKikmunter commented Feb 21, 2022

Is this really solved @Swaagie? Still getting warnings in Synk reports. Could it be false positive vulnerability report?
Screenshot 2022-02-21 at 17 50 22

@lpinca
Copy link
Copy Markdown
Contributor

lpinca commented Feb 21, 2022

Is this really solved @Swaagie? Still getting warnings in Synk reports. Could it be false positive vulnerability report?

Yes, see 29851b6.

@MateuszKikmunter
Copy link
Copy Markdown

MateuszKikmunter commented Feb 21, 2022

Is this really solved @Swaagie? Still getting warnings in Synk reports. Could it be false positive vulnerability report?

Yes, see 29851b6.

Thanks @lpinca !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Swaagie Swaagie Swaagie approved these changes

+1 more reviewer

@lpinca lpinca lpinca approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ohad2712 @davedoesdev @lpinca @MateuszKikmunter @Swaagie