Add util.setPath security notes.

digitalbazaar · Sep 2, 2020 · e955dcb · e955dcb
1 parent c5ab1e5
commit e955dcb
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,26 @@
 Forge ChangeLog
 ===============
 
+### Changed
+- Added `util.setPath` security note to function docs and to README.
+
+### Notes
+- **SECURITY**: The `util.setPath` function has the potential to cause
+  prototype pollution if used with unsafe input.
+  - This function is **not** used internally by `forge`.
+  - The rest of the library is unaffected by this issue.
+  - **Do not** use unsafe input with this function.
+  - Usage with known input should function as expected. (Including input
+    intentionally using potentially problematic keys.)
+  - No code changes will be made to address this issue in 0.9.x. The current
+    behavior *could* be considered a feature rather than a security issue.
+    0.10.0 will be released that removes `util.getPath` and `util.setPath`.
+    Consider `get` and `set` from [lodash](https://lodash.com/) if you need
+    replacements. But also consider the potential similar security issues with
+    those APIs.
+  - https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677
+  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720
+
 ## 0.9.1 - 2019-09-26
 
 ### Fixed

diff --git a/README.md b/README.md
@@ -2035,6 +2035,8 @@ When using this code please keep the following in mind:
 - Certain features in this library are less susceptible to attacks depending on
   usage. This primarily includes features that deal with data format
   manipulation or those that are not involved in communication.
+- Do not pass unsafe inputs to `util.setPath`. Doing so could expose a
+  prototype pollution security issue.
 
 Library Background
 ------------------

diff --git a/lib/util.js b/lib/util.js
@@ -2520,6 +2520,9 @@ util.makeLink = function(path, query, fragment) {
  * leaf nodes are given as non-final path keys.
  * Used to avoid exceptions from missing parts of the path.
  *
+ * SECURITY NOTE: Do not use unsafe inputs. Doing so could expose a prototype
+ * pollution security issue.
+ *
  * @param object the starting object.
  * @param keys an array of string keys.
  * @param value the value to set.