hello.
This is LY Security Assessment Team.
Share the security vulnerabilities we found.
vConsole Version: 3.16.0-alpha(de7026d)
issue
|
public updateRequest(id: string, data: VConsoleNetworkRequestItem) { |
|
const { url } = data; |
|
if (url && this.ignoreUrlRegExp?.test(url)) { |
|
return; |
|
} |
|
const reqList = get(requestList); |
|
const hasItem = !!reqList[id]; |
|
if (hasItem) { |
|
// force re-assign to ensure that the value is updated |
|
const item = reqList[id]; |
|
for (let key in data) { |
|
item[key] = data[key]; |
|
} |
|
data = item; |
|
} |
|
requestList.update((reqList) => { |
|
reqList[id] = data; |
|
return reqList; |
|
}); |
|
if (!hasItem) { |
|
contentStore.updateTime(); |
|
this.limitListLength(); |
|
} |
|
} |
Possible prototype pollution due to missing id validation in updateRequest in network.model.ts.
updateRequest resolves reqList[id] without validating the id parameter. When id is "__proto__", reqList["__proto__"] returns Object.prototype (via the __proto__ accessor on plain objects), and !!Object.prototype evaluates to true. The subsequent for..in loop then writes all enumerable properties of data directly onto Object.prototype, resulting in global prototype pollution.
This is reachable through two public APIs:
vConsole.network.update(id, item) in network.exporter.ts — passes id directly to updateRequestvConsole.network.add(item) in network.exporter.ts — copies item.id onto the internal proxy via for..in, then passes it to updateRequest
Note: setOption() was previously patched for the same class of vulnerability by adding __proto__ / constructor / prototype key checks (core.ts#L518-L521), but the same mitigation was not applied to updateRequest.
poc
// Vector 1: precise injection via update()
vConsole.network.update('__proto__', { polluted: 'pwned' });
console.log({}.polluted); // "pwned"
// Vector 2: mass pollution via add()
vConsole.network.add({ id: '__proto__', url: 'http://example.com', method: 'GET', status: 200 });
console.log({}.url); // "http://example.com/"
console.log({}.status); // 200
console.log({}.method); // "GET"
hello.
This is LY Security Assessment Team.
Share the security vulnerabilities we found.
vConsole Version: 3.16.0-alpha(de7026d)
issue
vConsole/src/network/network.model.ts
Lines 66 to 89 in de7026d
Possible prototype pollution due to missing
idvalidation inupdateRequestinnetwork.model.ts.updateRequestresolvesreqList[id]without validating theidparameter. Whenidis"__proto__",reqList["__proto__"]returnsObject.prototype(via the__proto__accessor on plain objects), and!!Object.prototypeevaluates totrue. The subsequentfor..inloop then writes all enumerable properties ofdatadirectly ontoObject.prototype, resulting in global prototype pollution.This is reachable through two public APIs:
vConsole.network.update(id, item)innetwork.exporter.ts— passesiddirectly toupdateRequestvConsole.network.add(item)innetwork.exporter.ts— copiesitem.idonto the internal proxy viafor..in, then passes it toupdateRequestNote:
setOption()was previously patched for the same class of vulnerability by adding__proto__/constructor/prototypekey checks (core.ts#L518-L521), but the same mitigation was not applied toupdateRequest.poc