type checking

[xiaofen9]

We found that a maliciously crafted user-input object can type checking result of kind-of module.
The vulnerability is from the following code: kind-of leverages the built-in constructor of unsafe user-input to detect type information. However, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

kind-of/index.js

Lines 68 to 70 in 4da96c0

	function ctorName(val) {
	return val.constructor ? val.constructor.name : null;
	}

Reproduce Script

var kindOf = require('kind-of');


var user_input = {
  user: 'barney',
  age: 36,
  active: true,
  "constructor":{"name":"Symbol"}
};
console.log(kindOf(user_input));

This issue can be fixed by adding one simply check to the ctorName() function:
check typeof val.constructor === function . This check can patch the vulnerability because attackers can't use json to send function instances to the victim server.

[elordahl]

@xiaofen9 would you care to submit this fix as a PR, for @jonschlinkert to review? 😎

[jonschlinkert]

A PR would be great.

Could you provide a more detailed description of specifically how and when this could become an actual exploit?

[jonschlinkert]

I've locked the issue to prevent useless and distracting "me too" comments.

@xiaofen9 if you want to create a PR, that would be great.

It would help if you could add a description of when and how this can be used "maliciously". We can't think of one scenario where that could ever happen... but that doesn't mean it can't, so we'd love to be enlightened so that we know better in the future.

[doowb]

Closed by #31