Preventing prototype pollution vulnerabilities (#2115)

* Preventing prototype pollution vulnerabilities * added changelog.md * changed changelog * added each in tests * fixed test description * fixed vulnerability for add method * fixed tests and changelog as suggested
bugsnag · Apr 15, 2024 · f1a2167 · f1a2167
1 parent be1ea1d
commit f1a2167
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 
 ### Changed
 
+- (metadata-delegate) Preventing prototype pollution vulnerabilities [#2115](https://github.com/bugsnag/bugsnag-js/pull/2115)
 - (plugin-interaction-breadcrumbs) Improved performance of click event breadcrumbs [#2094](https://github.com/bugsnag/bugsnag-js/pull/2094)
 - (react-native) Rename Bugsnag.framework to BugsnagReactNative.framework [#2117](https://github.com/bugsnag/bugsnag-js/pull/2117)
 

diff --git a/packages/core/lib/metadata-delegate.js b/packages/core/lib/metadata-delegate.js
@@ -14,6 +14,11 @@ const add = (state, section, keyOrObj, maybeVal) => {
   // exit if we don't have an updates object at this point
   if (!updates) return
 
+  // preventing the __proto__ property from being used as a key
+  if (section === '__proto__' || section === 'constructor' || section === 'prototype') {
+    return
+  }
+
   // ensure a section with this name exists
   if (!state[section]) state[section] = {}
 
@@ -41,6 +46,11 @@ const clear = (state, section, key) => {
     return
   }
 
+  // preventing the __proto__ property from being used as a key
+  if (section === '__proto__' || section === 'constructor' || section === 'prototype') {
+    return
+  }
+
   // clear a single value from a section
   if (state[section]) {
     delete state[section][key]

diff --git a/packages/core/test/metadata-delegate.test.js b/packages/core/test/metadata-delegate.test.js
@@ -0,0 +1,58 @@
+import { add, clear } from '../lib/metadata-delegate'
+
+// it doesn't seem easy or even impossible to check whether __proto__ keys can be overwritten
+// https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/proto
+// so tests are only for prototype and constructor
+
+describe('metadata delegate', () => {
+  describe('add', () => {
+    it.each([
+      {
+        key: 'constructor',
+        expected: {}
+      },
+      {
+        key: 'prototype',
+        expected: {}
+      }
+    ])('should not add $key keys', ({ key, expected }) => {
+      const state = {}
+      add(state, key, 'foo', 'bar')
+      expect(state).toEqual(expected)
+    })
+  })
+
+  describe('clear', () => {
+    it.each([
+      {
+        key: 'constructor',
+        state: {
+          constructor: {
+            foo: 'bar'
+          }
+        },
+        expected: {
+          constructor: {
+            foo: 'bar'
+          }
+        }
+      },
+      {
+        key: 'prototype',
+        state: {
+          prototype: {
+            foo: 'bar'
+          }
+        },
+        expected: {
+          prototype: {
+            foo: 'bar'
+          }
+        }
+      }
+    ])('should not overwrite $key keys', ({ key, state, expected }) => {
+      clear(state, key, 'foo')
+      expect(state).toEqual(expected)
+    })
+  })
+})