-
Notifications
You must be signed in to change notification settings - Fork 0
/
change.diff
49 lines (45 loc) · 4.38 KB
/
change.diff
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
diff --git a/node_modules/tough-cookie/lib/memstore.js b/node_modules/tough-cookie/lib/memstore.js
index d2b915c..e1b5e68 100644
--- a/node_modules/tough-cookie/lib/memstore.js
+++ b/node_modules/tough-cookie/lib/memstore.js
@@ -36,7 +36,10 @@ var util = require('util');
function MemoryCookieStore() {
Store.call(this);
- this.idx = {};
+ // OPTION: Replace - this.idx = {}; ,with, this.idx = Object.create(null);
+ // Creating a new object idx with no prototype. This means that idx does not inherit any properties or methods from the Object.prototype like it would if you had used {}.
+ // this.idx = {};
+ this.idx = Object.create(null);
}
util.inherits(MemoryCookieStore, Store);
exports.MemoryCookieStore = MemoryCookieStore;
@@ -113,12 +116,21 @@ MemoryCookieStore.prototype.findCookies = function(domain, path, cb) {
cb(null,results);
};
+/*
+# Vulnerability occurs if you use CookieJar in rejectPublicSuffixes=false mode.
+ You can do Prototype Pollution when pass Domain=__proto__
+# As you can see, this.idx - Object
+If cookie.domain equals to __proto__ then you override global object prototype.
+It seems to me that this is clearly non-obvious behavior. It also carries certain risks.
+# When the putCookie function is called with cookie.domain === '__proto__',
+it checks if this.idx[cookie.domain] exists. Since this.idx was created using Object.create(null), it does not have any inherited properties, so this.idx['__proto__'] does not trigger the prototype pollution issue.
+*/
MemoryCookieStore.prototype.putCookie = function(cookie, cb) {
if (!this.idx[cookie.domain]) {
- this.idx[cookie.domain] = {};
+ this.idx[cookie.domain] = Object.create(null);
}
if (!this.idx[cookie.domain][cookie.path]) {
- this.idx[cookie.domain][cookie.path] = {};
+ this.idx[cookie.domain][cookie.path] = Object.create(null);
}
this.idx[cookie.domain][cookie.path][cookie.key] = cookie;
cb(null);
@@ -150,7 +162,7 @@ MemoryCookieStore.prototype.removeCookies = function(domain, path, cb) {
};
MemoryCookieStore.prototype.removeAllCookies = function(cb) {
- this.idx = {};
+ this.idx = Object.create(null);
return cb(null);
}