Skip to content
Permalink
Browse files
console: fix prototype pollution via console.table
CVE-ID: CVE-2022-21824
PR-URL: nodejs-private/node-private#307
Refs: https://hackerone.com/reports/1431042
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
  • Loading branch information
tniessen authored and danielleadams committed Jan 10, 2022
1 parent 0370a26 commit 8dd4ca4537a72d8fbf3ae9e41b4c13d77b519b4d
Showing with 17 additions and 1 deletion.
  1. +2 −1 lib/internal/console/constructor.js
  2. +15 −0 test/parallel/test-console-table.js
@@ -15,6 +15,7 @@ const {
MathFloor,
Number,
NumberPrototypeToFixed,
ObjectCreate,
ObjectDefineProperties,
ObjectDefineProperty,
ObjectKeys,
@@ -554,7 +555,7 @@ const consoleMethods = {
return final([iterKey, valuesKey], [getIndexArray(length), values]);
}

const map = {};
const map = ObjectCreate(null);
let hasPrimitives = false;
const valuesKeyArray = [];
const indexKeyArray = ObjectKeys(tabularData);
@@ -276,3 +276,18 @@ test({ foo: '你好', bar: 'hello' }, `
│ bar │ 'hello' │
└─────────┴─────────┘
`);

// Regression test for prototype pollution via console.table. Earlier versions
// of Node.js created an object with a non-null prototype within console.table
// and then wrote to object[column][index], which lead to an error as well as
// modifications to Object.prototype.
test([{ foo: 10 }, { foo: 20 }], ['__proto__'], `
┌─────────┬───────────┐
│ (index) │ __proto__ │
├─────────┼───────────┤
│ 0 │ │
│ 1 │ │
└─────────┴───────────┘
`);
assert.strictEqual('0' in Object.prototype, false);
assert.strictEqual('1' in Object.prototype, false);

0 comments on commit 8dd4ca4

Please sign in to comment.