Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent prototype poisoning in clone() #352

Closed
hueniverse opened this issue Feb 8, 2020 · 0 comments
Closed

Prevent prototype poisoning in clone() #352

hueniverse opened this issue Feb 8, 2020 · 0 comments
Assignees
@hueniverse
Labels
bug Bug or defect security Issue with security impact
Milestone
9.0.3

Comments

@hueniverse
Copy link
Contributor

If an object with __proto__ key is passed to clone() the key is converted to a prototype. This is only an issue if the system allows invalid content to make its way into the system internals where clone is used.

Unlike past prototype poisoning issues, this is considered low risk and hard to exploit. It is not an issue when clone() is used in hapi handlers and other methods since hapi ensures no such invalid object can pass into the application from user input.
@hueniverse hueniverse added bug Bug or defect security Issue with security impact labels Feb 8, 2020
@hueniverse hueniverse added this to the 9.0.3 milestone Feb 8, 2020
@hueniverse hueniverse self-assigned this Feb 8, 2020
hueniverse added a commit that referenced this issue Feb 8, 2020
@hueniverse
Backport #352. Closes #353
4d0804b
This was referenced Mar 10, 2021
Merged
Closed
Closed
Open
Open
Open
Merged
Merged
Open
This was referenced Mar 17, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hueniverse hueniverse

Labels
bug Bug or defect security Issue with security impact
Projects
None yet
Milestone
9.0.3
Development

No branches or pull requests
1 participant
@hueniverse