New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Risk #282
Comments
All occurrences of new object creation in `memstore.js` have been changed from `{}` (i.e.; `Object.create(Object.prototype)` to `Object.create(null)` so that we are using object instances that do not have a prototype property that can be polluted. @fixes #282
All occurrences of new object creation in `memstore.js` have been changed from `{}` (i.e.; `Object.create(Object.prototype)` to `Object.create(null)` so that we are using object instances that do not have a prototype property that can be polluted. @fixes #282
Can this fix be back ported to version 2.x of |
We recommend upgrading to 4.1.3 to move out of exposure: https://status.salesforce.com/generalmessages/1155 |
I would upgrade if |
Same here. Would appreciate a back-port to 2.x and 3.x. Even though it'd be easy to achieve IMO I have little hope it'll materialize. I'm not seeing 2.x/3.x maintenance branches. |
Also, the same here. There are multiple npm packages locked to |
@marcelstoer @bhsdodo is the dependency on |
@colincasey Yes, it is |
@bhsdodo (or anyone, for that matter) can you confirm whether 4.1.3 is backwards compatible with |
I'm also interested in this, addressing similar security scans against I dug around a bit in this repo...
I had been planning to add a specific pnpm override, but considering the convo in #282 (comment) , I may just defer until a 2.x backport exists |
We currently have no plans to do a backport. We do recommend moving to 4.1.3 to move out of exposure. The work that is coming in 5 will be a large change from 4.x and previous versions, as the project has embraced typescript. |
No problem, thanks for the info! |
Overview
While researching a commercial product, I came across a vulnerability in their infrastructure caused by your library
Vulnerability occurs if you use CookieJar in
rejectPublicSuffixes=false
mode.You can do Prototype Pollution when pass Domain=
__proto__
It comes from this point in the code:
As you can see, this.idx - Object
If cookie.domain equals to
__proto__
then you override global object prototype.It seems to me that this is clearly non-obvious behavior. It also carries certain risks.
Fix
To fix this, you need to store cookies in Map, or you can use
this.idx = Object.create(null);
to create idx variablePoC
To reproduce vulnerability,
node PoC.js
, you will see the printed stringCookie="Slonser=polluted; Domain=__proto__; Path=/notauth; hostOnly=false; aAge=1117ms; cAge=1117ms"
in the terminalBut as you can see, script didn't set
["/notauth"]["Slonser"]
property by it self.The text was updated successfully, but these errors were encountered: