hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Normalize whitespace

Browse Source
This commit is contained in:
Asger F
2019-05-14 10:31:28 +01:00
parent fd9765b99f
commit 778244878a
1 changed files with 15 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
javascript/ql/src/Security/CWE-400/PrototypePollution.qhelp
View File

@@ -4,38 +4,38 @@
<qhelp>
<overview>
<p>
<p>
Most JavaScript objects inherit the properties of the built-in <code>Object.prototype</code> object.
If an attacker is be able to modify <code>Object.prototype</code>, they can tamper with the
application logic and often escalate to remote code execution or cross-site scripting.
</p>
</p>
<p>
<p>
One way to cause prototype pollution is through use of an unsafe <em>merge</em> or <em>extend</em> function
to recursively copy properties from an untrusted source object.
Such a call can modify any object reachable from the destination object, and
the built-in <code>Object.prototype</code> is usually reachable through the special properties
<code>__proto__</code> and <code>constructor.prototype</code>.
An attacker can abuse this by sending an object with these property names and thereby modify <code>Object.prototype</code>.
</p>
</p>
</overview>
<recommendation>
<p>
<p>
Update your library dependencies in order to use a safe version of the <em>merge</em> or <em>extend</em> function.
If you library has no fixed version, switch to another library.
</p>
</p>
</recommendation>
<example>
<p>
<p>
In the example below, the untrusted value <code>req.query.prefs</code> is parsed as JSON
and then copied into a new object:
</p>
</p>
<sample src="examples/PrototypePollution1.js"/>
<p>
<p>
Prior to lodash 4.17.11 this would be vulnerable to prototype pollution. An attacker could send
the value <code>{"constructor": {"prototype": {"xxx": true}}}</code> to inject <code>xxx</code>
in <code>Object.prototype</code>.
@@ -55,15 +55,15 @@
</example>
<references>
<li>Prototype pollution attacks:
<a href="https://hackerone.com/reports/380873">lodash</a>,
<li>Prototype pollution attacks:
<a href="https://hackerone.com/reports/380873">lodash</a>,
<a href="https://hackerone.com/reports/454365">jQuery</a>,
<a href="https://hackerone.com/reports/381185">extend</a>,
<a href="https://hackerone.com/reports/430291">just-extend</a>,
<a href="https://hackerone.com/reports/381194">merge.recursive</a>,
</li>
<li>Express:
<a href="https://expressjs.com/en/api.html#express.urlencoded">urlencoded()</a>
</li>
</li>
<li>Express:
<a href="https://expressjs.com/en/api.html#express.urlencoded">urlencoded()</a>
</li>
</references>
</qhelp>