Node.js prototype pollution is bad for your app environment Back in March, security researchers reported a critical command injection vulnerability in Parse Server, an open-source backend for Node.js environments. Rated 10 out of 10 on the CVSS scale of severity, the remote code execution hole was the result of prototype pollution, a security oversight that can be abused to hijack …
This is a very confusing or incomplete description. If I understand correctly, this is not just the Object prototype pollution problem, which has been known for ever. Saying it is an object prototype pollution problem is misleading.
Rather (reading between the lines) it is miscommunication/misdirection, stuffing admittedly bad information into Object that is then looked at by other software. That software is not verifying that the information came from the expected place, package.json say, but picking it up from the Object prototype.
Oh dear, does reading JSON not use a clean Object.create(null) object?
Anyway, the helpful notes in the NPM package situation mentioned would be - here are all the parameters you must fill in in package.json or else some software may be pulling answers out of a hat.
What does the "package.json" dependency have to do with adding or changing a property at runtime?
The heart of this is that somebody has chosen inheritance and made sensitive variables public instead of private. You can blame Javascript's prototypical model as it's a zero-sum inheritance model (not the best), but really this seems like "researchers" burning grant money to state obvious things about this model. Although to be fair, a lot of JS tutorials give examples of how to add properties to the parent classes via child classes and call it an "elegant" usage of "advanced inheritance" ... so they get what they deserve.
I am not familiar with JS and its environment so i am unsure what to make of this.
If i can set properties to later change behavior of other code could i not just run whatever code i'd like to inject directly?
Is there some security context switch that makes it useful to run code of my choice later?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
