fix: replace vulnerable merge function of predefine package with not vulnerable lodash.merge implementation #336
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
According to Snyk broker has a Prototype Pollution vulnerability in predefine package introduced via
primus@6.1.0 › fusing@1.0.0 › predefine@0.1.2
. Together with @ohad2712 we verified that no user input flows to the vulnerable functionmerge
directly or indirectly. To be precise, we observed some user input flows tomerge
but only of type String – which makes it not exploitable.To make double sure we decided to replace vulnerable implementation of the
merge
function with similar functionlodash.merge
, which is not vulnerable.To replace the function we require
predefine
package as early as possible and replace the function by directly overwriting it.Where should the reviewer start?
lib/index.js
How should this be manually tested?
Any background context you want to provide?
https://snyk.io/vuln/SNYK-JS-PREDEFINE-1054935
predefine:
Vulnerable code: https://github.com/bigpipe/predefine/blob/0.1.2/index.js#L263-L294
PoC:
Merge function is not used anywhere inside the package itself, but exported as part of the API.
fusing:
Vulnerable code: https://github.com/bigpipe/fusing/blob/1.0/index.js#L140
merge
function is not used anywhere insidefusing
package as well, but re-exported as part of prototype for each class.primus:
merge
function is used increateServer
function as 3d argument.merge
function is used intransformers/engine.io/client.js
but the only user input seems to be theurl
property.