1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
Description: Fix prototype pollution
CVE-2023-26136
Author: Yadd <yadd@debian.org>
Forwarded: not-needed
Last-Update: 2023-07-07
--- a/lib/memstore.js
+++ b/lib/memstore.js
@@ -39,7 +39,7 @@
constructor() {
super();
this.synchronous = true;
- this.idx = {};
+ this.idx = Object.create(null);
if (util.inspect.custom) {
this[util.inspect.custom] = this.inspect;
}
@@ -109,10 +109,10 @@
putCookie(cookie, cb) {
if (!this.idx[cookie.domain]) {
- this.idx[cookie.domain] = {};
+ this.idx[cookie.domain] = Object.create(null);
}
if (!this.idx[cookie.domain][cookie.path]) {
- this.idx[cookie.domain][cookie.path] = {};
+ this.idx[cookie.domain][cookie.path] = Object.create(null);
}
this.idx[cookie.domain][cookie.path][cookie.key] = cookie;
cb(null);
@@ -144,7 +144,7 @@
return cb(null);
}
removeAllCookies(cb) {
- this.idx = {};
+ this.idx = Object.create(null);
return cb(null);
}
getAllCookies(cb) {
--- a/test/cookie_jar_test.js
+++ b/test/cookie_jar_test.js
@@ -669,4 +669,29 @@
}
}
})
+ .addBatch({
+ "Issue #282 - Prototype pollution": {
+ "when setting a cookie with the domain __proto__": {
+ topic: function() {
+ const jar = new tough.CookieJar(undefined, {
+ rejectPublicSuffixes: false
+ });
+ // try to pollute the prototype
+ jar.setCookieSync(
+ "Slonser=polluted; Domain=__proto__; Path=/notauth",
+ "https://__proto__/admin"
+ );
+ jar.setCookieSync(
+ "Auth=Lol; Domain=google.com; Path=/notauth",
+ "https://google.com/"
+ );
+ this.callback();
+ },
+ "results in a cookie that is not affected by the attempted prototype pollution": function() {
+ const pollutedObject = {};
+ assert(pollutedObject["/notauth"] === undefined);
+ }
+ }
+ }
+ })
.export(module);
|
