-
Notifications
You must be signed in to change notification settings - Fork 291
/
GHSA-9c47-m6qq-7p4h.json
83 lines (82 loc) · 4.5 KB
/
GHSA-9c47-m6qq-7p4h.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
{
"schema_version": "1.3.0",
"id": "GHSA-9c47-m6qq-7p4h",
"modified": "2023-01-02T16:29:57Z",
"published": "2022-12-29T01:51:03Z",
"aliases": [
"CVE-2022-46175"
],
"summary": "Prototype Pollution in JSON5 via Parse Method",
"details": "The `parse` method of the JSON5 library before and including versions `2.2.1` and `1.0.2` does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object.\n\nThis vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations.\n\n## Impact\nThis vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution.\n\n## Mitigation\nThis vulnerability is patched in json v2.2.2 and later. The patch has also be backported to v1.0.2 and later.\n\n## Details\nSuppose a developer wants to allow users and admins to perform some risky operation, but they want to restrict what non-admins can do. To accomplish this, they accept a JSON blob from the user, parse it using `JSON5.parse`, confirm that the provided data does not set some sensitive keys, and then performs the risky operation using the validated data:\n\n```js\nconst JSON5 = require('json5');\n\nconst doSomethingDangerous = (props) => {\n if (props.isAdmin) {\n console.log('Doing dangerous thing as admin.');\n } else {\n console.log('Doing dangerous thing as user.');\n }\n};\n\nconst secCheckKeysSet = (obj, searchKeys) => {\n let searchKeyFound = false;\n Object.keys(obj).forEach((key) => {\n if (searchKeys.indexOf(key) > -1) {\n searchKeyFound = true;\n }\n });\n return searchKeyFound;\n};\n\nconst props = JSON5.parse('{\"foo\": \"bar\"}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n doSomethingDangerous(props); // \"Doing dangerous thing as user.\"\n} else {\n throw new Error('Forbidden...');\n}\n```\n\nIf an attacker attempts to set the `isAdmin` key, their request will be rejected:\n\n```js\nconst props = JSON5.parse('{\"foo\": \"bar\", \"isAdmin\": true}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n doSomethingDangerous(props);\n} else {\n throw new Error('Forbidden...'); // Error: Forbidden...\n}\n```\n\nHowever, attackers can instead set the `__proto__` key to `{\"isAdmin\": true}`. `JSON5` will parse this key and will set the `isAdmin` key on the prototype of the returned object, allowing the attacker to bypass the security check and run their request as an admin:\n\n```js\nconst props = JSON5.parse('{\"foo\": \"bar\", \"__proto__\": {\"isAdmin\": true}}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n doSomethingDangerous(props); // \"Doing dangerous thing as admin.\"\n} else {\n throw new Error('Forbidden...');\n}\n```\n",
"severity": [
],
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "json5"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.2.2"
}
]
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "json5"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.2"
}
]
}
]
}
],
"references": [
{
"type": "WEB",
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175"
},
{
"type": "WEB",
"url": "https://github.com/json5/json5/issues/199"
},
{
"type": "WEB",
"url": "https://github.com/json5/json5/issues/295"
},
{
"type": "PACKAGE",
"url": "https://github.com/json5/json5"
}
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"severity": "HIGH",
"github_reviewed": true
}
}