Skip to content

Commit

Permalink
console: fix prototype pollution via console.table
Browse files Browse the repository at this point in the history
CVE-ID: CVE-2022-21824
PR-URL: nodejs-private/node-private#307
Refs: https://hackerone.com/reports/1431042
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Π‘ΠΊΠΎΠ²ΠΎΡ€ΠΎΠ΄Π° Никита АндрССвич <chalkerx@gmail.com>
Reviewed-By: MichaΓ«l Zasso <targos@protonmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
  • Loading branch information
tniessen authored and richardlau committed Jan 7, 2022
1 parent 9f2c526 commit e2a74f3
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 1 deletion.
3 changes: 2 additions & 1 deletion lib/internal/console/constructor.js
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ const {
MathFloor,
Number,
NumberPrototypeToFixed,
ObjectCreate,
ObjectDefineProperties,
ObjectDefineProperty,
ObjectKeys,
Expand Down Expand Up @@ -555,7 +556,7 @@ const consoleMethods = {
return final([iterKey, valuesKey], [getIndexArray(length), values]);
}

const map = {};
const map = ObjectCreate(null);
let hasPrimitives = false;
const valuesKeyArray = [];
const indexKeyArray = ObjectKeys(tabularData);
Expand Down
15 changes: 15 additions & 0 deletions test/parallel/test-console-table.js
Original file line number Diff line number Diff line change
Expand Up @@ -276,3 +276,18 @@ test({ foo: 'δ½ ε₯½', bar: 'hello' }, `
β”‚ bar β”‚ 'hello' β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
`);

// Regression test for prototype pollution via console.table. Earlier versions
// of Node.js created an object with a non-null prototype within console.table
// and then wrote to object[column][index], which lead to an error as well as
// modifications to Object.prototype.
test([{ foo: 10 }, { foo: 20 }], ['__proto__'], `
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ (index) β”‚ __proto__ β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ 0 β”‚ β”‚
β”‚ 1 β”‚ β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
`);
assert.strictEqual('0' in Object.prototype, false);
assert.strictEqual('1' in Object.prototype, false);

0 comments on commit e2a74f3

Please sign in to comment.