-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump minimist from 1.2.5 to 1.2.6 in /web-widgets #4114
Bump minimist from 1.2.5 to 1.2.6 in /web-widgets #4114
Conversation
Bumps [minimist](https://github.com/substack/minimist) from 1.2.5 to 1.2.6. - [Release notes](https://github.com/substack/minimist/releases) - [Commits](https://github.com/substack/minimist/compare/1.2.5...1.2.6) --- updated-dependencies: - dependency-name: minimist dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Prototype PollutionClick here to find a Prototype Pollution training lab DescriptionThe problem lies with the manner in which JavaScript implements inheritance by using a prototype. What this means, in a nutshell, is that every object contains a reference to the prototype of its class. When a property is requested from a particular object, the runtime first checks if the instance has the aforementioned property; otherwise, it looks it up in the prototype chain, recursively. The reference to the prototype is available via the Read moreImpactThe impact of Prototype Pollution is ultimately determined by the sensitivity and criticality of the data ingested by the application. It is not a vulnerability that is dangerous per se; rather, it all depends on how the application uses such untrusted properties. In other words, it merely alters the program data and flow. Scenario 1The following example considers an object (in a JavaScript console): > o = {x: 123, __proto__: {toString: () => console.log('Triggered!')}}
{ x: 123 }
> o + ''
Triggered!
'undefined' We have created an object with its own prototype that redefines the While this is important, it is unlikely that some kind of injection (e.g., an injection via GET parameters, cookies, etc.) ends up creating a JavaScript function ( In this case, there is no direct code execution, and the impact is merely that of adding another property to the object; since we are already injecting Scenario 2In this case, however, the application allows the alteration of an existing prototype. Consider the following: const someObject = {};
const someOtherObject = {};
// ...
someObject[UNTRUSTED_NAME] = UNTRUSTED_VALUE;
// ...
if (someOtherObject.isAdminEnabled) {
// do some sensitive stuff
} Being able to control UNTRUSTED_NAME = '__proto__';
UNTRUSTED_VALUE = {isAdminEnabled: 'whatever'}; PreventionThere are different approaches to preventing Prototype Pollution, the most trivial of which is to disallow untrusted data being assigned to arbitrary properties altogether. If this is not possible, developers might implement some filtering so that it is not possible to overwrite TestingVerify that the application protects against JavaScript injection attacks, including for eval attacks, remote JavaScript includes, DOM XSS, and JavaScript expression evaluation.
ReferencesMedium - What is Prototype Pollution and why is it such a big deal? |
Micro-Learning Topic: Injection attack (Detected by phrase)Matched on "injection attack"Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Try this challenge in Secure Code WarriorMicro-Learning Topic: DOM-based cross-site scripting (Detected by phrase)Matched on "DOM XSS"DOM-based cross-site scripting vulnerabilities occur when unescaped input is processed by client-side script and insecurely written into the page Document Object Model (DOM). This will result in immediate changes to the page, potentially without any call to the server. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context. Try this challenge in Secure Code WarriorMicro-Learning Topic: Cross-site scripting (Detected by phrase)Matched on "XSS"Reflected cross-site scripting vulnerabilities occur when unescaped input is displayed in the resulting page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context. Try this challenge in Secure Code WarriorMicro-Learning Topic: Denial of service (Detected by phrase)Matched on "denial of service"The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service Try this challenge in Secure Code Warrior |
Bumps minimist from 1.2.5 to 1.2.6.
Commits
7efb22a
1.2.6ef88b93
security notice for additional prototype pollution issuec2b9819
isConstructorOrProto adapted from PRbc8ecee
test from prototype pollution PRDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.