logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-82jv-9wjw-pqh6 derby

Package

Manager: npm
Name: derby
Vulnerable Version: >=0 <2.3.2 || >=3.0.0 <3.0.2 || >=4.0.0-beta1 <4.0.0-beta.11

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Prototype pollution in emit function ### Summary A prototype pollution in derby can crash the application, if the application author has atypical HTML templates that feed user input into an object key. Attribute keys are almost always developer-controlled, not end-user-controlled, so this shouldn't be an issue in practice for most applications. ### Details ``` emit(context: Context, target: T) { const node = traverseAndCreate(context.controller, this.segments); node[this.lastSegment] = target; this.addListeners(target, node, this.lastSegment); } ``` The emit() function in src/templates/templates.ts is called without sanitizing the variable `this.lastSegment `. The variable `this.lastSegment ` can be set to `__proto__`, and this will pollute the prototype of Javascipt Object (`node['__proto__'] = target`). ### PoC To reproduce this vulnerability, you can adjust the test case `ignores DOM mutations in components\' create()` in `test/dom/ComponentHarness.mocha.js`. ``` it('ignores DOM mutations in components\' create()', function() { function Box() {} Box.view = { is: 'box', - source: '<index:><div class="box" as="boxElement"></div>' + source: '<index:><div class="box" as="__proto__"></div>' }; Box.prototype.create = function() { this.boxElement.className = 'box-changed-in-create'; }; var harness = runner.createHarness('<view is="box" />', Box); expect(harness).to.render('<div class="box"></div>'); }); ``` When `as` attribute is controlled by attackers, the variable in `this.lastSegment` will exactly take value` __proto__` and prototype pollution happens. ### Patch Add a check on `this.lastSegment` can prevent this attack. ``` emit(context: Context, target: T) { const node = traverseAndCreate(context.controller, this.segments); + if (this.lastSegment.includes('__proto__') || this.lastSegment.includes('prototype')) { + throw new Error('Unsafe code detected'); + } node[this.lastSegment] = target; this.addListeners(target, node, this.lastSegment); } ```

Metadata

Created: 2024-04-17T22:26:37Z
Modified: 2024-04-17T22:26:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-82jv-9wjw-pqh6/GHSA-82jv-9wjw-pqh6.json
CWE IDs: ["CWE-1321"]
Alternative ID: N/A
Finding: F390
Auto approve: 1