Skip to content

Fix prototype pollution vulnerability #69

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fiznool merged 6 commits into from
May 19, 2021
Merged

Fix prototype pollution vulnerability #69

fiznool merged 6 commits into from
May 19, 2021

Conversation

@yadhukrishnam
Copy link
Contributor

@yadhukrishnam yadhukrishnam commented May 18, 2021

Set the prototype of parsed xml object to undefined, so that prototype pollution is prevented.

fiznool
fiznool requested changes May 18, 2021
View reviewed changes
Copy link
Owner

@fiznool fiznool left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to sanitize nested objects as well? What about an XML payload of (e.g.)

<foo>
  <bar>
    <__proto__>
      <name>Bob</name>
    </__proto__>
  </bar>
</foo>

From what I can gather about prototype pollution, it can happen if __proto__ is overridden on any object?

@fiznool fiznool changed the title Fixes #68 Fix prototype pollution vulnerability May 18, 2021
yadhukrishnam and others added 2 commits May 18, 2021 21:13
@yadhukrishnam yadhukrishnam requested a review from fiznool May 18, 2021 16:44
@fiznool
Copy link
Owner

fiznool commented May 18, 2021

Do we need to sanitize nested objects as well?

Did you have any thoughts on this?

@yadhukrishnam
Copy link
Contributor Author

yadhukrishnam commented May 18, 2021

Do we need to sanitize nested objects as well?

Did you have any thoughts on this?

I tested that. But doesn't seem to be vulnerable. The fix seems perfect for me now.

@fiznool
Copy link
Owner

fiznool commented May 18, 2021

CI is failing: need to run npm run prettier to fix. Once this is done and CI is passing I will merge in.

@fiznool fiznool merged commit 18581a7 into fiznool:master May 19, 2021
@fiznool fiznool mentioned this pull request May 19, 2021
Closed
fiznool
fiznool reviewed May 19, 2021
View reviewed changes
Copy link
Owner

@fiznool fiznool left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the contribution, released as 2.0.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fiznool fiznool fiznool requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yadhukrishnam @fiznool