Security Fix for Prototype Pollution - huntr.dev #10053
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
@zpbrent (https://huntr.dev/users/zpbrent) has fixed a potential Prototype Pollution vulnerability in your repository 馃敤. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...
Q | A
Version Affected | *
Bug Fix | YES
Original Pull Request | 418sec#1
If you are happy with this disclosure, we would love to get a CVE assigned to the vulnerability. Feel free to credit @zpbrent, the discloser found in the bounty URL (below) and @huntr-helper.
User Comments:
馃搳 Metadata *
mongoose.Schema()
is subject to prototype pollution due to the recursively calling ofSchema.prototype.add()
function to add new items into the schema object. This vulnerability allows modification of the Object prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property. Possibly leading to many kinds of attacks such as the denial-of-service, checking bypass, or potentially code execution.Bounty URL: https://www.huntr.dev/bounties/1-npm-mongoose/
鈿欙笍 Description *
__proto__/constructor/prototype
check in Schema.prototype.add() function in lib/schema.js.馃捇 Technical Description *
Recurse propoty assignment with path must be checked to avoid to pollute to the object's propotype.
馃悰 Proof of Concept (PoC) *
We find that, despite the use of
HACKED
in the malicious payload can pollute the Object's prototype successfully, it may incur aTypeError expection
since theHACKED
is not a default type themongoose.Schema
supports (see http://bit.ly/mongoose-schematypes). To avoid thisTypeError
, we can use any one of the supported type to replaceHACKED
in the payload, such as theDate
,String
,Number
etc. Note that, restrictng the polluted payload with supported types can limit the consequent attacks, but at least, the denial of service attack to prototype functions is always possible.馃敟 Proof of Fix (PoF) *
After the fix:
馃敆 Relates to...
https://www.huntr.dev/bounties/1-npm-mongoose/