diff --git a/.changeset/loud-parrots-admire.md b/.changeset/loud-parrots-admire.md new file mode 100644 index 00000000..7a1eab0b --- /dev/null +++ b/.changeset/loud-parrots-admire.md @@ -0,0 +1,5 @@ +--- +"@nodesecure/js-x-ray": patch +--- + +Add missing prototype-pollution documentation in README diff --git a/docs/prototype-pollution.md b/docs/prototype-pollution.md new file mode 100644 index 00000000..b4dc450d --- /dev/null +++ b/docs/prototype-pollution.md @@ -0,0 +1,39 @@ +# Prototype Pollution + +| Code | Severity | i18n | Experimental | +| --- | --- | --- | :-: | +| prototype-pollution | `Warning` | `sast_warnings.prototype_pollution` | ❌ | + +## Introduction + +Prototype pollution is an attack technique in which an adversary manipulates an object's `__proto__` property to inject or override inherited properties on all objects of that type. Because JavaScript objects share a prototype chain, a successful pollution can affect any code that reads from those inherited properties — enabling unexpected behavior, authentication bypasses, or even remote code execution in some server-side scenarios. + +JS-X-Ray raises a `prototype-pollution` warning when it detects: + +- **Direct `__proto__` property access** — e.g. `obj.__proto__.foo = "bar"` +- **Computed `__proto__` property access** — e.g. `obj["__proto__"].foo = "bar"` +- **The `"__proto__"` string literal** — e.g. `const key = "__proto__"`, which may later be used as a dynamic key + +## Examples + +```js +// Direct property access — pollutes every object's prototype +const obj = {}; +obj.__proto__.polluted = true; +console.log({}.polluted); // true + +// Computed property access — equivalent attack, just harder to spot +const payload = {}; +payload["__proto__"].isAdmin = true; + +// String literal — the key will be tracked as a potential pollution vector +const key = "__proto__"; +const target = {}; +target[key] = { isAdmin: true }; +``` + +## Resources + +- [OWASP Prototype Pollution](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-Side_Testing/10-Testing_for_Client-Side_Template_Injection) +- [Prototype Pollution — Portswigger](https://portswigger.net/web-security/prototype-pollution) +- [HackerOne — Prototype Pollution in lodash](https://hackerone.com/reports/310443) diff --git a/workspaces/js-x-ray/README.md b/workspaces/js-x-ray/README.md index e76c62d6..e2f38fc0 100644 --- a/workspaces/js-x-ray/README.md +++ b/workspaces/js-x-ray/README.md @@ -143,6 +143,7 @@ type WarningName = | "data-exfiltration" | "sql-injection" | "monkey-patch" + | "prototype-pollution" | OptionalWarningName; interface Warning { @@ -230,6 +231,7 @@ Click on the warning **name** for detailed documentation and examples. | [data-exfiltration](https://github.com/NodeSecure/js-x-ray/blob/master/docs/data-exfiltration.md) | No | Potential unauthorized transfer of sensitive data | | [sql-injection](https://github.com/NodeSecure/js-x-ray/blob/master/docs/sql-injection.md) | No | Potential SQL injection vulnerability detected | | [monkey-patch](https://github.com/NodeSecure/js-x-ray/blob/master/docs/monkey-patch.md) | No | Modification of built-in JavaScript prototype properties | +| [prototype-pollution](https://github.com/NodeSecure/js-x-ray/blob/master/docs/prototype-pollution.md) | No | Detected use of `__proto__` to pollute object prototypes | | [weak-scrypt](https://github.com/NodeSecure/js-x-ray/blob/master/docs/weak-scrypt.md) ⚠️ | **Yes** | Usage of weak scrypt parameters (low cost, short or hardcoded salt) | #### Information Severity