-
-
Notifications
You must be signed in to change notification settings - Fork 727
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement a __proto__ check option #347
Comments
We are working on this as a security issue that was reported. |
In general unless there is a consensus that JSON.parse is fundamentally unsafe and should not be used, there isn't actually a security issue at hand in this module. The security issue highlighted there is the nature of the language itself, and one could argue that Object.assign is the vulnerable point, as that is the point of failure. P.S. I didn't mean to close the issue |
One method to protect your app if you have vulnerable code (and are not willing to fix it), would be to add the following middleware after body parser: app.use((req, res, next) => {
if (req.body && typeof req.body === 'object') Bourne.scan(req.body, { your options })
next()
}) This uses the https://github.com/hapijs/bourne instead of a reviver. Not sure if that is faster or not performance wise, off hand. |
I was thinking the same thing. Object.assign is definitely inconsistent here. Lets prevent developers from using Object.assign 😉 - ! Sadly not a practical solution. The argument for fixing this in |
Sure, but there are many other issues. For example, even Where would this end? What specifically makes removing |
Json.parse() creates an object that - when put through another JavaScript core API - results in an object that doesn't match the expected output. I am not familiar with all the properties that fall under that category but it looks like constructor is also one of those. |
Right, I get that, but doesn't requiring every module everywhere that does JSON.parse to add this seem like the wrong answer? It seems the root issue here needs to be fixed. What you're describing to me sounds like perhaps there is a real issue here in some new Javascript langauge features that should probably be addressed. If we add this, when will the conversation of the root issue ever happen? Is Object.assign fundamentally flawed? Is JSON.parse ? |
If this module is unsafe without this change, the Javascript Fetch API had the exact same issue: https://developer.mozilla.org/en-US/docs/Web/API/Body/json |
There is a fundamental, not communicated API inconsistency here. Those API's should simply behave same in that they return an enumerable In my intuition System API > Library API in regard to fetch.json: If you are accessing perfectly safe JSON it shouldn't add this restriction. Library that uses JSON.fetch to access unsanitized data: Then definitely. |
Unfortunately using Bourne's In my testing, using
@dougwilson I understand your hesitation to address this in body-parser and in general I agree that this seems like a larger problem that may need to be addressed in One option might be for body-parser to accept an optional |
Hi @rgrove I'm not necessarily hesitant to add something like this, but I would like to better understand the actual goal to protect here. It would be one thing if there was actually a vulnerability in this module -- the mere usage of this module caused prototype pollution. That does not seem to be the case here. Instead, the prototype pollution is occurring when one has code which takes the output of this module and does something with it, something which this module cannot control and know of easily. If the goal is to simply "add a option to remove the a property from an object tree, for example If the goal is to protect against prototype pollution attacked, then that is fair too, though I don't think simply removing If the goal is to accept custom parsers, for example to provide |
I've implemented an express middleware to address my concerns with https://www.npmjs.com/package/node-shield#express-4x-middleware-usage |
Context: - [Suggested at Express](expressjs/body-parser#347 (comment)) - [Prototype Pollution attack details](https://guidesmiths.github.io/cybersecurity-handbook/attacks_explained/prototype_pollution)
Context: - [Suggested at Express](expressjs/body-parser#347 (comment)) - [Prototype Pollution attack details](https://guidesmiths.github.io/cybersecurity-handbook/attacks_explained/prototype_pollution)
@dougwilson I would personally like to see a prototype pollution protection added to express. I doubt there are many legitimate uses of |
Do any of you personally use Express without prototype sanitization? What areas of your services would suffer as a result of Express handling prototype sanitization? |
@rgrove unless if I’m misunderstanding the docs incorrectly, can’t the Bourne check also be done within the body-parser middleware w/o the need to add a bespoke one after body-parser.json()? express.json({
verify: (req, res, buf, encoding) => {
scan(req.body)
}
}) |
@JaneJeon Good point! I haven't tested this, but it seems like this (or something like it) should work. |
I've published a forked version that replaces the |
Context: - [Suggested at Express](expressjs/body-parser#347 (comment)) - [Prototype Pollution attack details](https://guidesmiths.github.io/cybersecurity-handbook/attacks_explained/prototype_pollution)
Eran Hammer posted an article on proto poisoning and his solution in joi/hapi: https://hueniverse.com/a-tale-of-prototype-poisoning-2610fa170061
@rgrove posted a simple implementation of a fix for this: https://gist.github.com/rgrove/3ea9421b3912235e978f55e291f19d5d
However the fix requires a custom reviver that might slow down the default/valid parsing case, Eran prevented this by using an initial check for
__proto__
. It might be good to add this as a default to be checked for in body-parser in general that can be switched off... if someone wants to do so.The text was updated successfully, but these errors were encountered: