Fix Prototype Pollution

[alromh87]

📊 Metadata *

json-ptr is vulnerable to Prototype Pollution.
This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE.

Bounty URL: https://www.huntr.dev/bounties/1-npm-json-ptr/

⚙️ Description *

Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects.
JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype.
An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.
Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain.

💻 Technical Description *

Fixed by avoiding setting magical attributes.

🐛 Proof of Concept (PoC) *

1. Create the following PoC file:

// poc.js
var {JsonPointer } = require("json-ptr")
var obj = {}
console.log("Before : " + obj.polluted);
JsonPointer.set(obj,'/__proto__/polluted','Yes! Its Polluted', true);
var obj1 ={}
console.log("After : " + obj1.polluted);

2. Execute the following commands in another terminal:

npm i json-ptr # Install affected module
node poc.js #  Run the PoC

3. Check the Output:

Before : undefined
After : Yes! Its Polluted

Same result can be achieved with next poc, the proposed fix also handles this case:

var {JsonPointer } = require("./dist/")
var obj = {}
console.log("Before : " + obj.polluted);
JsonPointer.set(obj,'/constructor/prototype/polluted','Yes! Its Polluted', true);
var obj1 ={}
console.log("After : " + obj1.polluted);

🔥 Proof of Fix (PoF) *

After fix execution will block prototype pollution and throw an exception

👍 User Acceptance Testing (UAT)

After fix functionality is unafected

[Mik317]

LGTM 😄 🍰
Not sure if it's better returning the not modified object instead of a error though 👍

Cheers,
Mik

[bbeale]

I'll echo what @Mik317 said regarding throwing an error vs returning the unmodified object, but despite that matter of opinion, the fix itself looks good to me.

[alromh87]

Thanks for the reviews, I choosed throw emulating library behaviour https://github.com/418sec/json-ptr/blob/master/src/util.ts#L158-L164

Neverteless sent PR that will not throw #2

[ghost]

Thanks for the fix! In this case it looks like the upstream repo has merged in a fix last night. Cheers 👍

[alromh87]

In this case I want to point out that fix has been submited 4 days before upstream

[JamieSlome]

@alromh87 - because the fix has already been made upstream, we won't merge this in, however, we can offer you some credits for your diligence!

Cheers! 🍰

[huntr-helper]

Sorry alromh87, we enjoyed reviewing your fix but it has not been selected this time. If this bounty has not been closed, please feel free to try again with a new pull request!

We appreciate your effort and look forward to reviewing more of your fixes in the future! 🔨😎

Come join us on Discord

[alromh87]

@JamieSlome I understand your point, but I would argue that this fix was posted 4 days before it was merged upstream and 2 days before the merged commit, also calls my attention the exact same words used for the throw. Its the same charcater by character...

https://github.com/flitbit/json-ptr/pull/26/files#diff-3294a832ea2276e554177e0b3007cc2d401c082912c7fbde49fa09141bf1aed1R175-R177

https://github.com/418sec/json-ptr/pull/1/files#diff-3294a832ea2276e554177e0b3007cc2d401c082912c7fbde49fa09141bf1aed1R175-R177

So citing another huntr "I feel it was stolen from me". 😞

[JamieSlome]

@alromh87 - Let me have a look into this and I will get back to you here.

Cheers! 🍰

[alromh87]

@JamieSlome any news on the matter?

[JamieSlome]

@alromh87 - apologies for the delay!

Unfortunately, we can't award the fix, but we will make sure to be more aware of this case in the future to prevent this from happening again.

Cheers! 🍰