Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent prototype poisoning in clone() #352

Closed
hueniverse opened this issue Feb 8, 2020 · 0 comments
Closed

Prevent prototype poisoning in clone() #352

hueniverse opened this issue Feb 8, 2020 · 0 comments
Assignees
Labels
bug Bug or defect security Issue with security impact
Milestone

Comments

@hueniverse
Copy link
Contributor

hueniverse commented Feb 8, 2020

If an object with __proto__ key is passed to clone() the key is converted to a prototype. This is only an issue if the system allows invalid content to make its way into the system internals where clone is used.

Unlike past prototype poisoning issues, this is considered low risk and hard to exploit. It is not an issue when clone() is used in hapi handlers and other methods since hapi ensures no such invalid object can pass into the application from user input.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Bug or defect security Issue with security impact
Projects
None yet
Development

No branches or pull requests

1 participant