Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

type checking #30

Closed
xiaofen9 opened this issue Dec 16, 2019 · 4 comments
Closed

type checking #30

xiaofen9 opened this issue Dec 16, 2019 · 4 comments

Comments

@xiaofen9
Copy link
Contributor

@xiaofen9 xiaofen9 commented Dec 16, 2019

We found that a maliciously crafted user-input object can type checking result of kind-of module.
The vulnerability is from the following code: kind-of leverages the built-in constructor of unsafe user-input to detect type information. However, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

kind-of/index.js

Lines 68 to 70 in 4da96c0

function ctorName(val) {
return val.constructor ? val.constructor.name : null;
}

Reproduce Script

var kindOf = require('kind-of');


var user_input = {
  user: 'barney',
  age: 36,
  active: true,
  "constructor":{"name":"Symbol"}
};
console.log(kindOf(user_input));

This issue can be fixed by adding one simply check to the ctorName() function:
check typeof val.constructor === function . This check can patch the vulnerability because attackers can't use json to send function instances to the victim server.

@elordahl
Copy link

@elordahl elordahl commented Dec 23, 2019

@xiaofen9 would you care to submit this fix as a PR, for @jonschlinkert to review? 😎

@jonschlinkert jonschlinkert changed the title A vulnerability in kindof() type checking Dec 23, 2019
@jonschlinkert
Copy link
Owner

@jonschlinkert jonschlinkert commented Dec 23, 2019

A PR would be great.

Could you provide a more detailed description of specifically how and when this could become an actual exploit?

Repository owner deleted a comment from stephengcox Dec 23, 2019
@jonschlinkert jonschlinkert pinned this issue Dec 23, 2019
@jonschlinkert jonschlinkert unpinned this issue Dec 23, 2019
Repository owner locked as resolved and limited conversation to collaborators Dec 23, 2019
@jonschlinkert
Copy link
Owner

@jonschlinkert jonschlinkert commented Dec 23, 2019

I've locked the issue to prevent useless and distracting "me too" comments.

@xiaofen9 if you want to create a PR, that would be great.

It would help if you could add a description of when and how this can be used "maliciously". We can't think of one scenario where that could ever happen... but that doesn't mean it can't, so we'd love to be enlightened so that we know better in the future.

@doowb
Copy link
Sponsor Collaborator

@doowb doowb commented Jan 16, 2020

Closed by #31

@doowb doowb closed this as completed Jan 16, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants