Fix protobufjs Improperly Controlled Modification of Object Prototype Pollution #2262
Commits on Feb 23, 2024
-
Fix protobufjs Prototype Pollution vulnerability
A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. ## Vulnerability Description * Using the parse function ```js const protobuf = require("protobufjs"); protobuf.parse('option(a).constructor.prototype.verified = true;'); console.log({}.verified); // returns true ``` * Using the `setParsedOption` function of a `ReflectionObject` ```js const protobuf = require("protobufjs"); function gadgetFunction(){ console.log("User is authenticated"); } // This will fail, but also pollute the prototype of Object try { let obj = new protobuf.ReflectionObject("Test"); obj.setParsedOption("unimportant!", gadgetFunction, "constructor.prototype.testFn"); } catch (e) {} // Now we can make use of the new function on the polluted prototype const a = {}; a.testFn(); // Prints "User is authenticated" to the console. ``` * Using the function `util.setProperty` ```js const protobuf = require("protobufjs"); protobuf.util.setProperty({}, "constructor.prototype.verified", true); console.log({}.verified); // returns true ``` * With the `proto.poc` file containing the following line: ``` option(foo).constructor.prototype.verified = true; ``` CVE-2023-36665 CWE-1321 `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.