webcontext icon indicating copy to clipboard operation
webcontext copied to clipboard
verified publisher icon windyfancy

prototype pollution in lib/session.js

Open chluo1997 opened this issue 1 year ago • 0 comments

There is a prototype pollution in file lib/session.js, line 46. data[key]=params[key];

The code uses key as the index for the data object. If key is "proto", prototype pollution occurs.

To reproduce, see it('5.test read and write session ', function(done) {}. Since the key of v is supplied by users, attackers can change the key of variable v to be __proto__ to conduct attacks.

Suggestions: To fix this vulnerability, it is recommended to blacklist prototype pollution payloads in key


set(params){
        return new Promise( (resolve)=>{
            let data= _sessionData[this.sessionId];
            for(let key in params){
+                if (key === '__proto__' or key === 'constructor') {
+                     continue;
+               }
                data[key]=params[key];
            }
            resolve(data)
            
         });
            
         
    }

chluo1997 avatar Apr 24 '24 07:04 chluo1997