Skip to content
This repository has been archived by the owner on Jul 11, 2023. It is now read-only.

Prototype pollution found in merge.js #922

Closed
lelecolacola123 opened this issue Jan 9, 2023 · 2 comments · Fixed by #923
Closed

Prototype pollution found in merge.js #922

lelecolacola123 opened this issue Jan 9, 2023 · 2 comments · Fixed by #923

Comments

@lelecolacola123
Copy link

No description provided.

@lelecolacola123
Copy link
Author

Prototype pollution vulnerability in function _merge and merge in algoliasearch-helper/src/functions/merge.js in algoliasearch-helper 3.11.1
the POC is :
try{
require('algoliasearch-helper')({},JSON.parse('{"constructor": {"prototype": {"test": 123}}}'))
}catch(e){
console.log({}.test)
}
Only in algoliasearch helper/src/functions provides/merge filter the proto js line 26, ignoring the prototype and the constructor merge.js uses 'use strict' and throws errors on {}.constructor.prototype={test:123}, but before doing so, {}.constructor.prototype.test = 123 has led to the contamination,
this is because the repair is incomplete in CVE-2021-23433

Haroenv added a commit that referenced this issue Jan 9, 2023
@Haroenv
fix(constructor): prevent prototype pollution in rare error-cases
776dff2 
If a user-provided search parameter is used to instantiate search parameters, it was possible to construct it in such a way that `constructor.prototype` is attempted to be written. That throws an error, but if the error would be caught, the resulting injection still happened.

This PR fixes that (small) vulnerability by ensuring `constructor`, is skipped, just like `__proto__`.

fixes #922

This is similar/a follow-up to #880
@Haroenv Haroenv mentioned this issue Jan 9, 2023
Merged
@Haroenv
Copy link
Contributor

Haroenv commented Jan 9, 2023

Thanks for your report, it wasn't clear in the previous report the code after error would still be vulnerable. While this is an extreme edge-case in my opinion (search parameters shouldn't be user-provided in the first place) I've made a pull request fixing this hole.

Haroenv added a commit that referenced this issue Jan 9, 2023
@Haroenv
fix: prevent prototype pollution in rare error-cases (#923)
7ae16ea 
If a user-provided search parameter is used to instantiate search parameters, it was possible to construct it in such a way that `constructor.prototype` is attempted to be written. That throws an error, but if the error would be caught, the resulting injection still happened.

This PR fixes that (small) vulnerability by ensuring `constructor`, is skipped, just like `__proto__`.

fixes #922

This is similar/a follow-up to #880
Haroenv added a commit that referenced this issue Jan 9, 2023
@Haroenv
3.11.2 - 2023-01-09
788c83f 
 * feat: update Algolia logo (#918) 58e0e58
 * fix: prevent prototype pollution in rare error-cases (#923) 7ae16ea, closes #922
 * fix(answers): deprecate findAnswers (#919) 0711861
@Haroenv Haroenv mentioned this issue Jan 9, 2023
Merged
dhayab pushed a commit to algolia/instantsearch that referenced this issue Jul 10, 2023
@Haroenv
fix: prevent prototype pollution in rare error-cases (algolia/algolia…
13f26d7 
…search-helper-js#923)

If a user-provided search parameter is used to instantiate search parameters, it was possible to construct it in such a way that `constructor.prototype` is attempted to be written. That throws an error, but if the error would be caught, the resulting injection still happened.

This PR fixes that (small) vulnerability by ensuring `constructor`, is skipped, just like `__proto__`.

fixes algolia/algoliasearch-helper-js#922

This is similar/a follow-up to algolia/algoliasearch-helper-js#880
dhayab pushed a commit to algolia/instantsearch that referenced this issue Jul 10, 2023
@Haroenv
3.11.2 - 2023-01-09
29a1d31 
 * feat: update Algolia logo (algolia/algoliasearch-helper-js#918) algolia/algoliasearch-helper-js@40ac0fc
 * fix: prevent prototype pollution in rare error-cases (algolia/algoliasearch-helper-js#923) algolia/algoliasearch-helper-js@ed880b2, closes algolia/algoliasearch-helper-js#922
 * fix(answers): deprecate findAnswers (algolia/algoliasearch-helper-js#919) algolia/algoliasearch-helper-js@b2ce581
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: prevent prototype pollution in rare error-cases algolia/algoliasearch-helper-js
2 participants
@Haroenv @lelecolacola123