back to article Node.js prototype pollution is bad for your app environment

Back in March, security researchers reported a critical command injection vulnerability in Parse Server, an open-source backend for Node.js environments. Rated 10 out of 10 on the CVSS scale of severity, the remote code execution hole was the result of prototype pollution, a security oversight that can be abused to hijack …

  1. Notas Badoff

    This is a very confusing or incomplete description. If I understand correctly, this is not just the Object prototype pollution problem, which has been known for ever. Saying it is an object prototype pollution problem is misleading.

    Rather (reading between the lines) it is miscommunication/misdirection, stuffing admittedly bad information into Object that is then looked at by other software. That software is not verifying that the information came from the expected place, package.json say, but picking it up from the Object prototype.

    Oh dear, does reading JSON not use a clean Object.create(null) object?

    Anyway, the helpful notes in the NPM package situation mentioned would be - here are all the parameters you must fill in in package.json or else some software may be pulling answers out of a hat.

    1. badflorist Silver badge

      What does the "package.json" dependency have to do with adding or changing a property at runtime?

      The heart of this is that somebody has chosen inheritance and made sensitive variables public instead of private. You can blame Javascript's prototypical model as it's a zero-sum inheritance model (not the best), but really this seems like "researchers" burning grant money to state obvious things about this model. Although to be fair, a lot of JS tutorials give examples of how to add properties to the parent classes via child classes and call it an "elegant" usage of "advanced inheritance" ... so they get what they deserve.

  2. OhForF'

    I am not familiar with JS and its environment so i am unsure what to make of this.

    If i can set properties to later change behavior of other code could i not just run whatever code i'd like to inject directly?

    Is there some security context switch that makes it useful to run code of my choice later?

    1. badflorist Silver badge

      For how many iterations will it run? This way it becomes the new reference for any future lookups.

    2. wmertens

      Good question - I'm having trouble coming up with a situation where you can't just load the module you want to alter yourself and money-patch it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like