Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: prototype pollution vulnerability in extend (CVE-2024-45435) #1433

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: prototype pollution vulnerability in extend (CVE-2024-45435) #1433

wants to merge 1 commit into from

Conversation

andersk
Copy link

@andersk andersk commented Oct 2, 2024
edited
Loading

@andersk andersk mentioned this pull request Oct 2, 2024
Open
1 task
@tariqhawis
Copy link

Hi @andersk ,

Thank you for your feedback regarding the report. I would like to highlight an additional prototype accessor: constructor.prototype. A potential injection could look like this:

extend ({}, JSON.parse('{"constructor":{"prototype":{"polluted":yes}}}'))"

Checking for the presence of constructor in the input should be sufficient.

Best,
Tariq

@andersk andersk force-pushed the proto branch 2 times, most recently from 4801823 to 17cffef Compare October 2, 2024 20:41
@andersk
Copy link
Author

andersk commented Oct 2, 2024

Checking for the presence of constructor in the input should be sufficient.

Nope, it’s not.

extend({}, {"hasOwnProperty": {"polluted": "yes"}});
console.log(Object.prototype.hasOwnProperty.polluted); // → yes

I’ve pushed a more complete fix.

@andersk andersk force-pushed the proto branch 3 times, most recently from 6745108 to 12b84bd Compare October 2, 2024 21:10
rockerBOO added a commit to rockerBOO/chartist that referenced this pull request Nov 8, 2024
@rockerBOO
fix: prototype pollution vulnerability in extend (CVE-2024-45435) and…
7e88e47 
…ersk chartist-js#1433
@praveen-zensar
Copy link

praveen-zensar commented Jan 20, 2025
edited
Loading

Please merge this fix as it's a severity score is high.

danielpalme
danielpalme reviewed Feb 9, 2025
View reviewed changes
src/utils/extend.ts
for (const prop in source) {
if (targetProto !== null && prop in targetProto) {
Copy link

@danielpalme danielpalme Feb 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I propose the following change for this line:
if (prop === "__proto__" || prop === "constructor" || (targetProto !== null && prop in targetProto)) {

See: https://codeql.github.com/codeql-query-help/javascript/js-prototype-pollution-utility/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danielpalme danielpalme danielpalme left review comments

@praveen-zensar praveen-zensar praveen-zensar approved these changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug]: Prototype Pollution Vulnerability Affecting chartist module, versions >=1.0.0 <=1.3.0
4 participants
@andersk @tariqhawis @praveen-zensar @danielpalme