From 5c9ebb0b5fd025622cafbf8628ac259db0642533 Mon Sep 17 00:00:00 2001 From: Timo Machel Date: Tue, 3 May 2022 15:31:41 +0200 Subject: [PATCH 1/2] fixed issue#33 CVE-2022-25645 added test for it --- package.json | 4 ++-- src/merge.js | 1 + test/suites/pollution.js | 13 +++++++++++++ 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 9180795..c4592c7 100644 --- a/package.json +++ b/package.json @@ -51,8 +51,8 @@ "set" ], "devDependencies": { - "bundt": "1.1.2", + "bundt": "1.1.5", "esm": "3.2.25", - "uvu": "0.5.1" + "uvu": "0.5.3" } } diff --git a/src/merge.js b/src/merge.js index d428b14..49f467b 100644 --- a/src/merge.js +++ b/src/merge.js @@ -6,6 +6,7 @@ export function merge(a, b, k) { } } else { for (k in b) { + if (k === '__proto__' || k === 'constructor' || k === 'prototype') break; a[k] = merge(a[k], b[k]); } } diff --git a/test/suites/pollution.js b/test/suites/pollution.js index 2bca8dd..6965213 100644 --- a/test/suites/pollution.js +++ b/test/suites/pollution.js @@ -85,5 +85,18 @@ export default function (dset) { }); }); + // Test for CVE-2022-25645 - CWE-1321 + pollution( + "should ignore JSON.parse crafted object including __proto__ :: provided by snyk", + () => { + var a = { b: { c: 1 } }; + assert.is(a.polluted, undefined); + assert.is({}.polluted, undefined); + dset(a, "b", JSON.parse('{"__proto__":{"polluted":"Yes!"}}')); //Needs to craft payload with JSON.parse to keep the object key proto + assert.is(a.polluted, undefined); + assert.is({}.polluted, undefined); + } + ); + pollution.run(); } From f96df947a467c0ace07cc24e2b33b5335fd8ee9b Mon Sep 17 00:00:00 2001 From: Luke Edwards Date: Tue, 3 May 2022 08:32:44 -0700 Subject: [PATCH 2/2] Apply suggestions from code review --- package.json | 4 ++-- test/suites/pollution.js | 19 ++++++++----------- 2 files changed, 10 insertions(+), 13 deletions(-) diff --git a/package.json b/package.json index c4592c7..9180795 100644 --- a/package.json +++ b/package.json @@ -51,8 +51,8 @@ "set" ], "devDependencies": { - "bundt": "1.1.5", + "bundt": "1.1.2", "esm": "3.2.25", - "uvu": "0.5.3" + "uvu": "0.5.1" } } diff --git a/test/suites/pollution.js b/test/suites/pollution.js index 6965213..bf47756 100644 --- a/test/suites/pollution.js +++ b/test/suites/pollution.js @@ -86,17 +86,14 @@ export default function (dset) { }); // Test for CVE-2022-25645 - CWE-1321 - pollution( - "should ignore JSON.parse crafted object including __proto__ :: provided by snyk", - () => { - var a = { b: { c: 1 } }; - assert.is(a.polluted, undefined); - assert.is({}.polluted, undefined); - dset(a, "b", JSON.parse('{"__proto__":{"polluted":"Yes!"}}')); //Needs to craft payload with JSON.parse to keep the object key proto - assert.is(a.polluted, undefined); - assert.is({}.polluted, undefined); - } - ); + pollution('should ignore JSON.parse crafted object with "__proto__" key', () => { + let a = { b: { c: 1 } }; + assert.is(a.polluted, undefined); + assert.is({}.polluted, undefined); + dset(a, "b", JSON.parse('{"__proto__":{"polluted":"Yes!"}}')); + assert.is(a.polluted, undefined); + assert.is({}.polluted, undefined); + }); pollution.run(); }