Skip to content
This repository has been archived by the owner on Dec 19, 2023. It is now read-only.

Security Fix for Prototype Pollution in mquery #1

Merged
merged 1 commit into from
Mar 29, 2021
Merged

Security Fix for Prototype Pollution in mquery #1

merged 1 commit into from
Mar 29, 2021

Conversation

zpbrent
Copy link

@zpbrent zpbrent commented Mar 17, 2021
edited
Loading

📊 Metadata *

mquery is aware of the risk of prototype pollution in its exported functions cloneObject() and merge() and readily present protection by checking the key in var specialProperties = ['__proto__', 'constructor', 'prototype']. However, the current protection misses to protect another exported function mergeClone(). As a result, the latest version 3.2.4 is still vulnerable to prototype pollution.

Bounty URL: https://www.huntr.dev/bounties/1-npm-mquery/

⚙️ Description *

Filter out specialProperties = ['__proto__', 'constructor', 'prototype'] .

💻 Technical Description *

Place the protection code in mergeClone():
if (specialProperties.indexOf(key) !== -1) { continue; }

🐛 Proof of Concept (PoC) *

// PoC.js version of mquery is 3.2.4
mquery = require('mquery');
var malicious_payload = '{"__proto__":{"polluted":"HACKED"}}';
console.log('Before:', {}.polluted); // undefined
mquery.utils.mergeClone({}, JSON.parse(malicious_payload));
console.log('After:', {}.polluted); // HACKED

🔥 Proof of Fix (PoF) *

// PoC.js version of mquery is 3.2.4
mquery = require('mquery');
var malicious_payload = '{"__proto__":{"polluted":"HACKED"}}';
console.log('Before:', {}.polluted); // undefined
mquery.utils.mergeClone({}, JSON.parse(malicious_payload));
console.log('After:', {}.polluted); // undefined

👍 User Acceptance Testing (UAT)

N/A

🔗 Relates to...

https://www.huntr.dev/bounties/1-npm-mquery/

@huntr-helper
Copy link

👋 Hello, @aheckmann. @zpbrent has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above. If you want this fix in your repository, a PR will automatically open once you comment:

@huntr-helper - LGTM

☎️ Need further support?

Come and join us on our community Discord!

@aheckmann - want more fixes like this?

Copy this snippet into your README.md for more vulnerability fixes in the future:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)

huntr

@zpbrent zpbrent changed the title Update utils.js Security Fix for Prototype Pollution in mquery Mar 17, 2021
This was referenced Mar 18, 2021
Closed
Closed
@vkarpov15
Copy link

@huntr-helper - LGTM

@JamieSlome
Copy link

@huntr-helper - LGTM

Working on a way for multi-maintainer approval - cheers! 🍰

@huntr-helper huntr-helper merged commit d3b230b into 418sec:master Mar 29, 2021
@huntr-helper huntr-helper mentioned this pull request Mar 29, 2021
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zpbrent @huntr-helper @vkarpov15 @JamieSlome