Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport fix for GHSA-8gh8-hqwg-xf34 to v2 #308

Open
G-Rath opened this issue Jan 15, 2023 · 5 comments
Open

Backport fix for GHSA-8gh8-hqwg-xf34 to v2 #308

G-Rath opened this issue Jan 15, 2023 · 5 comments

Comments

@G-Rath
Copy link

G-Rath commented Jan 15, 2023

Currently ajv-cli is using v2 of this library - while I've opened a PR to update it to v3, I'm not sure when it might actually get merged and released as @epoberezkin is pretty busy and so the CLI doesn't get updated that frequently.

If you're open to backport fix for GHSA-8gh8-hqwg-xf34 to v2, that would allow people to resolve the vulnerability without needing a new version of ajv-cli released - looking at the changelogs and the v2 code it looks like the changes in #262 should land cleanly, and I'm happy to help if that would make it easier.
Yogu added a commit to AEB-labs/cruddl that referenced this issue Jan 16, 2023
@Yogu
chore: run npm audit fix
578c826 
Cannot fix the ajv-cli vulnerability currently, see
- ajv-validator/ajv-cli#227
- Starcounter-Jack/JSON-Patch#308
Yogu added a commit to AEB-labs/cruddl that referenced this issue Jan 16, 2023
@Yogu
chore: run npm audit fix
61c17d9 
Cannot fix the ajv-cli vulnerability currently, see
- ajv-validator/ajv-cli#227
- Starcounter-Jack/JSON-Patch#308
@G-Rath
Copy link
Author

G-Rath commented Jan 17, 2023

@Starcounter-Jack I've prepared a patch that applies #262 to v2.2.1 cleanly - I'm happy to open a PR if you want to create a v2 branch off v2.2.1:

diff --git a/src/core.ts b/src/core.ts
index 35f2c21..16302d5 100644
--- a/src/core.ts
+++ b/src/core.ts
@@ -256,7 +256,10 @@ export function applyOperation<T>(document: T, operation: Operation, validateOpe
     while (true) {
       key = keys[t];
 
-      if(banPrototypeModifications && key == '__proto__') {
+      if(banPrototypeModifications &&
+          (key == '__proto__' ||
+          (key == 'prototype' && t>0 && keys[t-1] == 'constructor'))
+        ) {
         throw new TypeError('JSON-Patch: modifying `__proto__` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
       }

Yogu added a commit to AEB-labs/cruddl that referenced this issue Jan 18, 2023
@Yogu
chore: run npm audit fix
03dcb77 
Cannot fix the ajv-cli vulnerability currently, see
- ajv-validator/ajv-cli#227
- Starcounter-Jack/JSON-Patch#308
@epoberezkin
Copy link

I think prototype pollution is not a real risk for CLI, where you control all inputs? There may be some complex attack scenario I am missing. Anyway, needs to be updated of course.

@G-Rath
Copy link
Author

G-Rath commented Jan 21, 2023
edited

@epoberezkin yeah with a CLI-based program it's probably a lot harder to exploit, but why take the risk when it's easily patched?
This backport isn't needed if you're happy to go with ajv-validator/ajv-cli#227 instead which upgrades to v3.

@G-Rath
Copy link
Author

G-Rath commented Mar 1, 2023

@Starcounter-Jack @epoberezkin friendly pings

1 similar comment
@G-Rath
Copy link
Author

G-Rath commented Jul 11, 2023

@Starcounter-Jack @epoberezkin friendly pings

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@epoberezkin @G-Rath