Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Fix for Prototype Pollution - huntr.dev #10053

Merged
merged 2 commits into from
Mar 22, 2021
Merged

Security Fix for Prototype Pollution - huntr.dev #10053

merged 2 commits into from
Mar 22, 2021

Conversation

huntr-helper
Copy link
Contributor

@zpbrent (https://huntr.dev/users/zpbrent) has fixed a potential Prototype Pollution vulnerability in your repository 馃敤. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...

Q | A
Version Affected | *
Bug Fix | YES
Original Pull Request | 418sec#1

If you are happy with this disclosure, we would love to get a CVE assigned to the vulnerability. Feel free to credit @zpbrent, the discloser found in the bounty URL (below) and @huntr-helper.

User Comments:

馃搳 Metadata *

mongoose.Schema() is subject to prototype pollution due to the recursively calling of Schema.prototype.add() function to add new items into the schema object. This vulnerability allows modification of the Object prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property. Possibly leading to many kinds of attacks such as the denial-of-service, checking bypass, or potentially code execution.

Bounty URL: https://www.huntr.dev/bounties/1-npm-mongoose/

鈿欙笍 Description *

__proto__/constructor/prototype check in Schema.prototype.add() function in lib/schema.js.

馃捇 Technical Description *

Recurse propoty assignment with path must be checked to avoid to pollute to the object's propotype.

馃悰 Proof of Concept (PoC) *

// PoC.js
mongoose = require('mongoose');
mongoose.version; //'5.12.0'
var malicious_payload = '{"__proto__":{"polluted":"HACKED"}}';
console.log('Before:', {}.polluted); // undefined
mongoose.Schema(JSON.parse(malicious_payload));
console.log('After:', {}.polluted); // HACKED
//end of PoC.js

We find that, despite the use of HACKED in the malicious payload can pollute the Object's prototype successfully, it may incur a TypeError expection since the HACKED is not a default type the mongoose.Schema supports (see http://bit.ly/mongoose-schematypes). To avoid this TypeError, we can use any one of the supported type to replace HACKED in the payload, such as the Date, String, Number etc. Note that, restrictng the polluted payload with supported types can limit the consequent attacks, but at least, the denial of service attack to prototype functions is always possible.

馃敟 Proof of Fix (PoF) *

After the fix:

//PoF.js
mongoose = require('mongoose');
mongoose.version; //'5.12.0'
var malicious_payload = '{"__proto__":{"polluted":"HACKED"}}';
console.log('Before:', {}.polluted); // undefined
mongoose.Schema(JSON.parse(malicious_payload));
console.log('After:', {}.polluted); // undefined
//end of PoF.js

馃敆 Relates to...

https://www.huntr.dev/bounties/1-npm-mongoose/

zpbrent and others added 2 commits March 17, 2021 19:09
@zpbrent
Update schema.js
468ab22
Merge pull request #1 from zpbrent/patch-2
3ed44ff 
Security Fix for Prototype Pollution in mongoose
vkarpov15
vkarpov15 approved these changes Mar 22, 2021
View reviewed changes
Copy link
Collaborator

@vkarpov15 vkarpov15 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 馃憤

@vkarpov15 vkarpov15 added this to the 5.12.2 milestone Mar 22, 2021
@vkarpov15 vkarpov15 merged commit 91f003a into Automattic:master Mar 22, 2021
@JamieSlome
Copy link

@vkarpov15 - thanks for the quick turnaround!

If you are interested, you can get more disclosures/fixes like these in the future by adding our badge to your README.md:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)

huntr

Have a great day! 馃憢

@zpbrent
Copy link
Contributor

zpbrent commented Mar 23, 2021

@vkarpov15 - thanks for the quick turnaround!

If you are interested, you can get more disclosures/fixes like these in the future by adding our badge to your README.md:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)

huntr

Have a great day! 馃憢

Hi @JamieSlome the PR has been successfully merged into the maintainer's upstreaming repository, but in the huntr.dev it seems still not confirmed by the Hacktivity page at https://www.huntr.dev/bounties/hacktivity . Also, in the bounty page https://www.huntr.dev/bounties/1-npm-mongoose/ , the patch is neither claimed as approved . Please help to check what is the issue, thanks.

@JamieSlome
Copy link

Hello @zpbrent - our automation will kick in within 24 hours after the merge, and so all of this data, including hacktivity, bounty payments etc. will be updated soon.

Let me know if you have any further questions - cheers! 馃嵃

@zpbrent
Copy link
Contributor

zpbrent commented Mar 23, 2021

Hello @zpbrent - our automation will kick in within 24 hours after the merge, and so all of this data, including hacktivity, bounty payments etc. will be updated soon.

Let me know if you have any further questions - cheers! 馃嵃

@JamieSlome Noted and thanks, cheers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vkarpov15 vkarpov15 vkarpov15 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
5.12.2
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@huntr-helper @JamieSlome @zpbrent @vkarpov15