Fix prototype pollution

[Yoshino-s]

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-expr-eval/

⚙️ Description *

With speficific input attckers can define properties on prototype, which will lead to prototype pollution.

Need node version>=12.0.0, which introduce Object.fromEntries

💻 Technical Description *

when we access global value, it will just search by item.value in expr.functions, with which we can also access to prototype, __proto__, constructor, and assign some properties on it.

🐛 Proof of Concept (PoC) *

// PoC.js
const { Parser } = require('expr-eval');
const o = {};
console.log("o.a=", o.a); // o.a= undefined
const res = Parser.evaluate('Object=constructor;a=Object.fromEntries([["a","polluted"]]);Object.assign(__proto__, a)');
console.log("o.a=", o.a); // o.a= polluted

🔥 Proof of Fix (PoF) *

// PoF.js
const { Parser } = require('expr-eval');
const o = {};
console.log("o.a=", o.a); // o.a= undefined
const res = Parser.evaluate('Object=constructor;a=Object.fromEntries([["a","polluted"]]);Object.assign(__proto__, a)');
console.log("o.a=", o.a); // o.a= undefined

[huntr-helper]

👋 Hello, @silentmatt. @Yoshino-s has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above. If you want this fix in your repository, a PR will automatically open once you comment:

@huntr-helper - LGTM

---

☎️ Need further support?

Come and join us on our community Discord!

---

❓@silentmatt - want more fixes like this?

Copy this snippet into your README.md for more vulnerability fixes in the future:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)

[silentmatt]

@huntr-helper - LGTM