Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prototype pollution in pathval #634

Closed
wants to merge 3 commits into from
Closed

Prototype pollution in pathval #634

wants to merge 3 commits into from

Conversation

Asjidkalam
Copy link
Contributor

@Asjidkalam Asjidkalam commented Sep 13, 2020
edited

✍️ Description

pathval is chaijs's package to retrieve Object value using a string path, this package is vulnerable to Prototype Pollution via the setPathValue function.

Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as _proto_, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

🕵️‍♂️ Proof of Concept

Install the package(npm i pathval), run the below code:

var pathval = require('pathval');

var obj = {};
console.log("Before:" + obj.polluted);
pathval.setPathValue(obj, '__proto__.polluted', 'pwned!');
console.log("After:" + polluted);

Outputs pwned!.

image

💥 Impact

It leads to either denial of service by triggering JavaScript exceptions or tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

✅ Checklist

  • Created and populated the README.md and vulnerability.json files
  • Provided the repository URL and any applicable permalinks
  • Defined all the applicable weaknesses (CWEs)
  • Proposed the CVSS vector items i.e. User Interaction, Attack Complexity
  • Checked that the vulnerability affects the latest version of the package released
  • Checked that a fix does not currently exist that remediates this vulnerability
  • Complied with all applicable laws

@huntr-helper huntr-helper added the disclosure Vulnerability disclosure label Sep 13, 2020
Mik317
Mik317 approved these changes Sep 13, 2020
View reviewed changes
Copy link
Contributor

@Mik317 Mik317 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 😄 🍰

Cheers,
Mik

bounties/npm/pathval/1/vulnerability.json Outdated Show resolved Hide resolved
bounties/npm/pathval/1/vulnerability.json Outdated Show resolved Hide resolved
mufeedvh
mufeedvh approved these changes Sep 13, 2020
View reviewed changes
Copy link
Contributor

@mufeedvh mufeedvh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good finding! 👏🔥

huntr sheriff LGTM

bbeale
bbeale approved these changes Sep 15, 2020
View reviewed changes
Copy link
Contributor

@bbeale bbeale left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice find 👍

@ghost
Copy link

ghost commented Sep 23, 2020

It looks like there's already a fix in the works for this one so gonna close it off - chaijs/pathval#58

Thanks for the disclosure though!

@ghost ghost closed this Sep 23, 2020
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bbeale bbeale bbeale approved these changes

@mufeedvh mufeedvh mufeedvh approved these changes

@Mik317 Mik317 Mik317 approved these changes

Assignees
No one assigned
Labels
disclosure Vulnerability disclosure
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@Asjidkalam @bbeale @mufeedvh @Mik317 @huntr-helper