Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Fix for Prototype Pollution - huntr.dev #121

Merged
merged 2 commits into from
Mar 29, 2021
Merged

Security Fix for Prototype Pollution - huntr.dev #121

merged 2 commits into from
Mar 29, 2021

Conversation

huntr-helper
Copy link
Contributor

@zpbrent (https://huntr.dev/users/zpbrent) has fixed a potential Prototype Pollution vulnerability in your repository 🔨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...

Q | A
Version Affected | *
Bug Fix | YES
Original Pull Request | 418sec#1

If you are happy with this disclosure, we would love to get a CVE assigned to the vulnerability. Feel free to credit @zpbrent, the discloser found in the bounty URL (below) and @huntr-helper.

User Comments:

📊 Metadata *

mquery is aware of the risk of prototype pollution in its exported functions cloneObject() and merge() and readily present protection by checking the key in var specialProperties = ['__proto__', 'constructor', 'prototype']. However, the current protection misses to protect another exported function mergeClone(). As a result, the latest version 3.2.4 is still vulnerable to prototype pollution.

Bounty URL: https://www.huntr.dev/bounties/1-npm-mquery/

⚙️ Description *

Filter out specialProperties = ['__proto__', 'constructor', 'prototype'] .

💻 Technical Description *

Place the protection code in mergeClone():
if (specialProperties.indexOf(key) !== -1) { continue; }

🐛 Proof of Concept (PoC) *

// PoC.js version of mquery is 3.2.4
mquery = require('mquery');
var malicious_payload = '{"__proto__":{"polluted":"HACKED"}}';
console.log('Before:', {}.polluted); // undefined
mquery.utils.mergeClone({}, JSON.parse(malicious_payload));
console.log('After:', {}.polluted); // HACKED

🔥 Proof of Fix (PoF) *

// PoC.js version of mquery is 3.2.4
mquery = require('mquery');
var malicious_payload = '{"__proto__":{"polluted":"HACKED"}}';
console.log('Before:', {}.polluted); // undefined
mquery.utils.mergeClone({}, JSON.parse(malicious_payload));
console.log('After:', {}.polluted); // undefined

👍 User Acceptance Testing (UAT)

N/A

🔗 Relates to...

https://www.huntr.dev/bounties/1-npm-mquery/

zpbrent and others added 2 commits March 17, 2021 21:26
@zpbrent
Update utils.js
a7b6d7c
Merge pull request #1 from zpbrent/patch-1
d3b230b 
Security Fix for Prototype Pollution in mquery
vkarpov15
vkarpov15 approved these changes Mar 29, 2021
View reviewed changes
Copy link
Member

@vkarpov15 vkarpov15 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 👍

Just to alleviate concerned readers, this does not affect Mongoose, Mongoose has its own mergeClone() that was fixed in Automattic/mongoose@22ad62a

@vkarpov15 vkarpov15 merged commit 158f059 into mongoosejs:master Mar 29, 2021
vkarpov15 added a commit to Automattic/mongoose that referenced this pull request Mar 29, 2021
@vkarpov15
chore: upgrade mquery -> 3.2.5 re: mongoosejs/mquery#121
7d2e9c9
@vkarpov15 vkarpov15 mentioned this pull request Mar 29, 2021
Closed
This was referenced Mar 31, 2021
Open
Open
Open
Open
Open
Open
Closed
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
@snyk-bot snyk-bot mentioned this pull request Nov 24, 2022
Open
@snyk-bot snyk-bot mentioned this pull request Dec 27, 2022
Open
This was referenced Feb 17, 2023
Merged
Merged
This was referenced Apr 3, 2023
Merged
Open
@snyk-bot snyk-bot mentioned this pull request Apr 28, 2023
Open
This was referenced May 9, 2023
Open
Open
@SonnyBurnett SonnyBurnett mentioned this pull request Jun 21, 2023
Open
@timiurchenko timiurchenko mentioned this pull request Sep 13, 2023
Open
@12345bt 12345bt mentioned this pull request Nov 27, 2023
Open
@jpkraemer jpkraemer mentioned this pull request Nov 27, 2023
Open
@Emilemuny Emilemuny mentioned this pull request Nov 28, 2023
Open
@ghouldaemon ghouldaemon mentioned this pull request Nov 29, 2023
Closed
This was referenced Dec 4, 2023
Open
Open
This was referenced Dec 8, 2023
Closed
Closed
This was referenced Dec 16, 2023
Closed
Closed
This was referenced Dec 29, 2023
Closed
Closed
Closed
This was referenced Jan 8, 2024
Closed
Closed
This was referenced Jan 17, 2024
Closed
Open
@SonyaMoisset SonyaMoisset mentioned this pull request Jan 30, 2024
Open
@github-actions github-actions bot mentioned this pull request Jun 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vkarpov15 vkarpov15 vkarpov15 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@huntr-helper @vkarpov15 @zpbrent