New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[invalid] Prototype pollution found in dom.js #436
Comments
If you find a vulnaribility, please follow the process documented in https://github.com/xmldom/xmldom/blob/master/SECURITY.md to disclose it properly. I'm not able to find any information related to the provided CVE id other then it has been reserved. v0.6.0 contains the following vulnerabily, which has been fixed in the more recent version 0.7.0 s of the library: the Please check if the issue you are reporting is also present in a more recent version. Closing this issue for now, feel free to provide more information in this issue or follow the steps described in https://github.com/xmldom/xmldom/blob/master/SECURITY.md . |
by no longer using the `in` operator. #436
by adding `hasOwnProperty` checks. #436
by adding `hasOwnProperty` checks. #436
by adding `hasOwnProperty` checks. #436
A fix has been published as 0.8.3 (latest), 0.7.6 and 0.9.0-beta.2 (next) The security advisory has been published: GHSA-9pgh-qqpf-7wqj |
Hi @karfau. The xml-encryption and xml-crypto (issue) are using I've created a PR that I believe properly backports your fix: #441 |
@jftanner thanks a lot! |
Very happy to be of assistance! |
version 0.7.6 is available |
Thanks @karfau! |
Looks like the problem still exists in 0.7.6 |
I think that's a false positive. Snyk doesn't know that 0.7.6 was a fix. Looks like the CVE is being re-analyzed. Hopefully they'll pick up the fixed version. https://nvd.nist.gov/vuln/detail/CVE-2022-37616 |
Yes, there is a pnding PR to update the information on github side: github/advisory-database#747 |
@karfau I can't for the life of me figure out how #437 fixes a security issue. I see that the lack of Feel free to reach out to me in private if you don't want to comment in public. |
@karfau looks like @Supraja9726 has been routinely opening issues like this in a bunch of repositories. Many of them have been closed as false positives by maintainers. Can you please confirm if you've actually been able to verify the security impact here? |
Thx, @jupenur for having a look. I did not invest any time into trying to verify it (which is also not one of the things I know how to thoroughly do). Since it was announced in public I figured I find all potential cases like that in the code base and the missing checks to prevent all similar kind of issues, and publish a new version. |
After finding this same pattern in an app I am reviewing I set out to write exploit code and verify that the app was vulnerable. This pattern of After running every payload and PoC I can find through these two functions forwards and backwards, I have not been able to pollute the prototype:
If anyone, including and especially the reporter could provide a working PoC affecting statements such as |
Thank you @jdgregson fro investing the time and focus. |
The amount of time I've spent remediating this issue is exceptionally frustrating now. 😂 Thanks for your detailed analysis @jdgregson. |
There is another answer to a report from this person showing that I might go through and challenge each of this person's CVEs when I have some time. This behavior is irresponsible and harmful. |
Hello, https://dl.acm.org/doi/pdf/10.1145/3488932.3497769 - This is the published paper with the Github link to her static analysis tool. |
Hi @Supraja9726, thanks for following up. I would be happy to read the paper and try to understand if there is a vulnerability we're missing or if this static analysis tool is finding false positives. However, the article appears to be locked behind a paywall. Is this article published publicly somewhere? |
@jdgregson the PDF is available here, via Google Scholar: http://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf |
Hello, Please refer the below code:
Here, only the target object is polluted (and in several other repositories). A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted. This is still harmful in places where other objects might make use of the polluted ones. This leads to Remote code execution, DOS when affecting the existing functions like toString valueOf, etc. This can be avoided by placing the necessary preventive measures while copying or cloning the objects. Thanks |
@Supraja9726
|
FYI: The request to mark the CVE as invalid led to the following response:
|
Thanks for the reply, @Supraja9726. I've given it some thought and have to reverse course. I agree that there is a security issue here, and it is not addressed by the PR that attempted to fix it. My main misunderstanding was that prototype pollution always means that the global Object prototype was polluted, and as @Supraja9726 pointed out here, there can be security impact if only one object is polluted via the To demonstrate the issue, let's suppose a developer wants to allow users to update their profiles. To do this, they merge data sent by the user with the data they currently have stored. The developer is careful not to let users set sensitive attributes on their user object, and throws an exception if this is attempted:
When a user attempts to explicitly set
However, if the user instead uses
This can lead to significant security impact in applications that use the |
How would an application use the copy function of xmldom for anything other than the very specific internal use-cases of the library itself? The copy function is not exported. |
Prototype pollution vulnerability in function copy in dom.js in xmldom xmldom 0.6.0 via the p variable in dom.js.
The prototype pollution vulnerability can be mitigated with several best practices described here: https://learn.snyk.io/lessons/prototype-pollution/javascript/
The text was updated successfully, but these errors were encountered: