Prototype pollution found in merge.js #922
Comments
Prototype pollution vulnerability in function _merge and merge in algoliasearch-helper/src/functions/merge.js in algoliasearch-helper 3.11.1 |
If a user-provided search parameter is used to instantiate search parameters, it was possible to construct it in such a way that `constructor.prototype` is attempted to be written. That throws an error, but if the error would be caught, the resulting injection still happened. This PR fixes that (small) vulnerability by ensuring `constructor`, is skipped, just like `__proto__`. fixes #922 This is similar/a follow-up to #880
Thanks for your report, it wasn't clear in the previous report the code after error would still be vulnerable. While this is an extreme edge-case in my opinion (search parameters shouldn't be user-provided in the first place) I've made a pull request fixing this hole. |
If a user-provided search parameter is used to instantiate search parameters, it was possible to construct it in such a way that `constructor.prototype` is attempted to be written. That throws an error, but if the error would be caught, the resulting injection still happened. This PR fixes that (small) vulnerability by ensuring `constructor`, is skipped, just like `__proto__`. fixes #922 This is similar/a follow-up to #880
…search-helper-js#923) If a user-provided search parameter is used to instantiate search parameters, it was possible to construct it in such a way that `constructor.prototype` is attempted to be written. That throws an error, but if the error would be caught, the resulting injection still happened. This PR fixes that (small) vulnerability by ensuring `constructor`, is skipped, just like `__proto__`. fixes algolia/algoliasearch-helper-js#922 This is similar/a follow-up to algolia/algoliasearch-helper-js#880
* feat: update Algolia logo (algolia/algoliasearch-helper-js#918) algolia/algoliasearch-helper-js@40ac0fc * fix: prevent prototype pollution in rare error-cases (algolia/algoliasearch-helper-js#923) algolia/algoliasearch-helper-js@ed880b2, closes algolia/algoliasearch-helper-js#922 * fix(answers): deprecate findAnswers (algolia/algoliasearch-helper-js#919) algolia/algoliasearch-helper-js@b2ce581
No description provided.
The text was updated successfully, but these errors were encountered: