Fixed Prototype Pollution

[mufeedvh]

⚙️ Fix:

The fix is implemented by defining the input Object with Object.create(null). An Object created through this API won’t have any prototype attributes which prevent Prototype Pollution Attacks.

❓ How:

The main assocInM() function has 3 parameters obj, keys, and value. The obj parameter is the object being mutated in this function.

The payload is however passed as an array to the keys parameter and the value to set inside the object to the value parameter as per the PoC:

var a = require("./index.js"); 
a.assocInM({},["__proto__","toString"],"JHU"); 
console.log({}.toString);

These values (with the payload) is mutated in this function which causes prototype pollution, I used the Object.create() to define the object to not contain any prototypes before the mutations start.

This fix is implemented with the help of this paper on Prototype Pollution:

🗒️ Prototype pollution attack in NodeJS application

From Mitigation Methods -> Object.create(null) (from the paper):

It’s possible to create object in JavaScript that don’t have any prototype. It requires the
usage of the “Object.create” function. Object created through this API won’t have the
“proto” and “constructor” attributes. Creating object in this fashion can help mitigate
prototype pollution attack.

1. var obj = Object.create(null);
2. obj.proto // undefined
3. obj.constructor // undefined

🗒️ Proof of Concept:

Place the below PoC in the root folder of the project as poc.js

var a = require("./index.js"); 
a.assocInM({},["__proto__","toString"],"JHU"); 
console.log({}.toString);

🔥 Steps to Reproduce:

$ cd fun-map/
$ node poc.js

❤️ After Fix Screenshot:

---

✌️ Fixed!

---

[toufik-airane]

LGTM 👍

[adam-nygate]

LGTM 👍

[huntr-helper]

Congratulations @mufeedvh - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section. Your bounty is on its way - keep hunting!