hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Address comments

Browse Source
This commit is contained in:
Asger F
2019-05-15 10:09:56 +01:00
parent 778244878a
commit 682f2790cd
2 changed files with 19 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
javascript/ql/src/Security/CWE-400/PrototypePollution.qhelp
View File

@@ -6,8 +6,9 @@
<overview>
<p>
Most JavaScript objects inherit the properties of the built-in <code>Object.prototype</code> object.
If an attacker is be able to modify <code>Object.prototype</code>, they can tamper with the
application logic and often escalate to remote code execution or cross-site scripting.
Prototype pollution is a type of vulnerability in which an attacker is be able to modify <code>Object.prototype</code>.
Since most objects inherit from the compromised <code>Object.prototype</code>, the attacker can use this
to tamper with the application logic, and often escalate to remote code execution or cross-site scripting.
</p>
<p>
@@ -36,9 +37,13 @@
<sample src="examples/PrototypePollution1.js"/>
<p>
Prior to lodash 4.17.11 this would be vulnerable to prototype pollution. An attacker could send
the value <code>{"constructor": {"prototype": {"xxx": true}}}</code> to inject <code>xxx</code>
in <code>Object.prototype</code>.
Prior to lodash 4.17.11 this would be vulnerable to prototype pollution. An attacker could send the following GET request:
</p>
<pre>GET /news?prefs={"constructor":{"prototype":{"xxx":true}}}</pre>
<p>
This causes the <code>xxx</code> property to be injected on <code>Object.prototype</code>.
Fix this by updating the lodash version:
</p>
@@ -47,11 +52,17 @@
<p>
Note that some web frameworks, such as Express, parse query parameters using extended URL-encoding
by default.
In this case, the application may be vulnerable even if not using <code>JSON.parse</code>.
When this is the case, the application may be vulnerable even if not using <code>JSON.parse</code>.
The example below would also be susceptible to prototype pollution:
</p>
<sample src="examples/PrototypePollution2.js"/>
<p>
In the above example, an attacker can cause prototype pollution by sending the following GET request:
</p>
<pre>GET /news?prefs[constructor][prototype][xxx]=true</pre>
</example>
<references>

4
javascript/ql/src/Security/CWE-400/examples/PrototypePollution2.js
View File

@@ -1,5 +1,5 @@
app.get('/news', (req, res) => {
let prefs = lodash.merge({}, {
topic: req.query.topic
let config = lodash.merge({}, {
prefs: req.query.prefs
});
})