Skip to content

Prototype pollution in emit function

Low severity GitHub Reviewed Published Apr 17, 2024 in derbyjs/derby • Updated Apr 17, 2024

Package

npm derby (npm)

Affected versions

<= 2.3.1
>= 3.0.0, <= 3.0.1
>= 4.0.0-beta1, <= 4.0.0-beta.10

Patched versions

2.3.2
3.0.2
4.0.0-beta.11

Description

Summary

A prototype pollution in derby can crash the application, if the application author has atypical HTML templates that feed user input into an object key.

Attribute keys are almost always developer-controlled, not end-user-controlled, so this shouldn't be an issue in practice for most applications.

Details

emit(context: Context, target: T) {
  const node = traverseAndCreate(context.controller, this.segments);
    node[this.lastSegment] = target;
    this.addListeners(target, node, this.lastSegment);
}

The emit() function in src/templates/templates.ts is called without sanitizing the variable this.lastSegment . The variable this.lastSegment can be set to __proto__, and this will pollute the prototype of Javascipt Object (node['__proto__'] = target).

PoC

To reproduce this vulnerability, you can adjust the test case ignores DOM mutations in components\' create() in test/dom/ComponentHarness.mocha.js.

it('ignores DOM mutations in components\' create()', function() {
      function Box() {}
      Box.view = {
        is: 'box',
-        source: '<index:><div class="box" as="boxElement"></div>'
+        source: '<index:><div class="box" as="__proto__"></div>'
      };
      Box.prototype.create = function() {
        this.boxElement.className = 'box-changed-in-create';
      };
      var harness = runner.createHarness('<view is="box" />', Box);
      expect(harness).to.render('<div class="box"></div>');
});

When as attribute is controlled by attackers, the variable in this.lastSegment will exactly take value __proto__ and prototype pollution happens.

Patch

Add a check on this.lastSegment can prevent this attack.

emit(context: Context, target: T) {
  const node = traverseAndCreate(context.controller, this.segments);
+  if (this.lastSegment.includes('__proto__') || this.lastSegment.includes('prototype')) {
+    throw new Error('Unsafe code detected');
+  }
    node[this.lastSegment] = target;
    this.addListeners(target, node, this.lastSegment);
}

References

@ericyhwang ericyhwang published to derbyjs/derby Apr 17, 2024
Published to the GitHub Advisory Database Apr 17, 2024
Reviewed Apr 17, 2024
Last updated Apr 17, 2024

Severity

Low

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-82jv-9wjw-pqh6

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.