Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Fix for Two Prototype Pollution - huntr.dev #2

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Security Fix for Two Prototype Pollution - huntr.dev #2

wants to merge 6 commits into from

Conversation

huntr-helper
Copy link

@huntr-helper huntr-helper commented Apr 24, 2020
edited
Loading

Fix 1

https://huntr.dev/app/users/mufeedvh has fixed a security vulnerability (Prototype Pollution) 🔨. mufeedvh has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this? Get involved at https://huntr.dev/!

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#2

Fix 2

https://huntr.dev/app/users/bbeale has fixed the Prototype Pollution vulnerability 🔨. @bbeale has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#3
GitHub Issue URL | #4
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/fun-map/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/app/bounties/open/1-npm-fun-map

⚙️ Description *

fun-map is a utility to help simulate Clojure like functional programming in JavaScript. The package is vulnerable to Prototype Pollution. The function assocInM could be taken advantage of by adding or modifying properties of Object.prototype using a proto payload.

💻 Technical Description *

The mitigation was to freeze the prototype of the object created in assocInM. This will prevent unintended or malicious modifications by removing the ability to add or remove properties to the prototype at all.

🐛 Proof of Concept (PoC) *

var a = require("fun-map");
a.assocInM({},["proto","toString"],"JHU");
console.log({}.toString);

🔥 Proof of Fix (PoF) *

function assocInM(obj, keys, value) {
  /*
    `Object.create()` to set the object to not have any prototype
    to prevent prototype pollution attacks
  */
  obj = Object.create(obj)
  Object.freeze(obj.prototype)

  var ret = obj
    , key

  for (var i = 0, len = keys.length; i < (len - 1); i++) {
    key = keys[i]
    obj = obj[key] || (obj[key] = {})
  }

  key = keys[i]
  obj[key] = value

  return ret
}

@huntr-helper huntr-helper changed the title huntr.dev - Prototype Pollution Fix Security Fix for Two Prototype Pollution - huntr.dev Jul 29, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@huntr-helper @mufeedvh @bbeale @JamieSlome